{"url":"http://public2.vulnerablecode.io/api/packages/115478?format=json","purl":"pkg:deb/debian/lucene-solr@0?distro=trixie","type":"deb","namespace":"debian","name":"lucene-solr","version":"0","qualifiers":{"distro":"trixie"},"subpath":"","is_vulnerable":false,"next_non_vulnerable_version":"3.6.2+dfsg-2","latest_non_vulnerable_version":"3.6.2+dfsg-27","affected_by_vulnerabilities":[],"fixing_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/52024?format=json","vulnerability_id":"VCID-2fyt-y5n1-zfbd","summary":"Unrestricted Upload of File with Dangerous Type\nApache Solr contain an insecure setting for the `ENABLE_REMOTE_JMX_OPTS` configuration option in the default `solr. then JMX monitoring will be enabled and exposed on `RMI_PORT` (`default=18983`), without any authentication. If this port is opened for inbound traffic in your firewall, then anyone with network access to your Solr nodes will be able to access JMX, which may in turn allow them to upload malicious code for execution on the Solr server.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2019-12409.json","reference_id":"","reference_type":"","scores":[{"value":"9.1","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2019-12409.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2019-12409","reference_id":"","reference_type":"","scores":[{"value":"0.8277","scoring_system":"epss","scoring_elements":"0.99261","published_at":"2026-06-05T12:55:00Z"},{"value":"0.8277","scoring_system":"epss","scoring_elements":"0.9926","published_at":"2026-06-04T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2019-12409"},{"reference_url":"https://github.com/DrunkenShells/Disclosures/tree/master/CVE-2019-12409-RCE%20Vulnerability%20Due%20to%20Bad%20Defalut%20Config-Apache%20Solr","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/DrunkenShells/Disclosures/tree/master/CVE-2019-12409-RCE%20Vulnerability%20Due%20to%20Bad%20Defalut%20Config-Apache%20Solr"},{"reference_url":"https://github.com/github/advisory-review/pull/12462","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/github/advisory-review/pull/12462"},{"reference_url":"https://issues.apache.org/jira/browse/SOLR-13647","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://issues.apache.org/jira/browse/SOLR-13647"},{"reference_url":"https://lists.apache.org/thread.html/47e112035b4aa67ece3b75dbcd1b9c9212895b9dfe2a71f6f7c174e2@%3Cannounce.apache.org%3E","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread.html/47e112035b4aa67ece3b75dbcd1b9c9212895b9dfe2a71f6f7c174e2@%3Cannounce.apache.org%3E"},{"reference_url":"https://lists.apache.org/thread.html/6640c7e370fce2b74e466a605a46244ccc40666ad9e3064a4e04a85d@%3Csolr-user.lucene.apache.org%3E","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread.html/6640c7e370fce2b74e466a605a46244ccc40666ad9e3064a4e04a85d@%3Csolr-user.lucene.apache.org%3E"},{"reference_url":"https://lists.apache.org/thread.html/925cdb49ceae78baddb45da7beb9b4d2b1ddc4a8e318c65e91fb4e87@%3Cissues.lucene.apache.org%3E","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread.html/925cdb49ceae78baddb45da7beb9b4d2b1ddc4a8e318c65e91fb4e87@%3Cissues.lucene.apache.org%3E"},{"reference_url":"https://lists.apache.org/thread.html/a044eae4f6f5b0160ece5bf9cc4c0dad90ce7dd9bb210a9dc50b54be@%3Cgeneral.lucene.apache.org%3E","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread.html/a044eae4f6f5b0160ece5bf9cc4c0dad90ce7dd9bb210a9dc50b54be@%3Cgeneral.lucene.apache.org%3E"},{"reference_url":"https://lists.apache.org/thread.html/ce7c0b456b15f6c7518adefa54ec948fed6de8e951a2584500c1e541@%3Cissues.lucene.apache.org%3E","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread.html/ce7c0b456b15f6c7518adefa54ec948fed6de8e951a2584500c1e541@%3Cissues.lucene.apache.org%3E"},{"reference_url":"https://support.f5.com/csp/article/K23720587?utm_source=f5support&utm_medium=RSS","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://support.f5.com/csp/article/K23720587?utm_source=f5support&utm_medium=RSS"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=1774734","reference_id":"1774734","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=1774734"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2019-12409","reference_id":"CVE-2019-12409","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2019-12409"},{"reference_url":"https://github.com/advisories/GHSA-2289-pqfq-6wx7","reference_id":"GHSA-2289-pqfq-6wx7","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-2289-pqfq-6wx7"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/115478?format=json","purl":"pkg:deb/debian/lucene-solr@0?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/lucene-solr@0%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/115476?format=json","purl":"pkg:deb/debian/lucene-solr@3.6.2%2Bdfsg-24?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/lucene-solr@3.6.2%252Bdfsg-24%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/115474?format=json","purl":"pkg:deb/debian/lucene-solr@3.6.2%2Bdfsg-26?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/lucene-solr@3.6.2%252Bdfsg-26%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/115477?format=json","purl":"pkg:deb/debian/lucene-solr@3.6.2%2Bdfsg-27?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/lucene-solr@3.6.2%252Bdfsg-27%3Fdistro=trixie"}],"aliases":["CVE-2019-12409","GHSA-2289-pqfq-6wx7"],"risk_score":10.0,"exploitability":"2.0","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-2fyt-y5n1-zfbd"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/54335?format=json","vulnerability_id":"VCID-3zcs-eg6f-fubn","summary":"Incorrect Authorization\nWhen using `ConfigurableInternodeAuthHadoopPlugin` for authentication, Apache Solr would forward/proxy distributed requests using server credentials instead of original client credentials. This would result in incorrect authorization resolution on the receiving hosts.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-29943.json","reference_id":"","reference_type":"","scores":[{"value":"9.1","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-29943.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-29943","reference_id":"","reference_type":"","scores":[{"value":"0.058","scoring_system":"epss","scoring_elements":"0.90684","published_at":"2026-06-05T12:55:00Z"},{"value":"0.058","scoring_system":"epss","scoring_elements":"0.90671","published_at":"2026-06-04T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-29943"},{"reference_url":"https://lists.apache.org/thread.html/r91dd0ff556e0c9aab4c92852e0e540c59d4633718ce12881558cf44d%40%3Cusers.solr.apache.org%3E","reference_id":"","reference_type":"","scores":[{"value":"9.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread.html/r91dd0ff556e0c9aab4c92852e0e540c59d4633718ce12881558cf44d%40%3Cusers.solr.apache.org%3E"},{"reference_url":"https://security.netapp.com/advisory/ntap-20210604-0009","reference_id":"","reference_type":"","scores":[{"value":"9.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://security.netapp.com/advisory/ntap-20210604-0009"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=1949521","reference_id":"1949521","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=1949521"},{"reference_url":"https://security.archlinux.org/AVG-1808","reference_id":"AVG-1808","reference_type":"","scores":[{"value":"Medium","scoring_system":"archlinux","scoring_elements":""}],"url":"https://security.archlinux.org/AVG-1808"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2021-29943","reference_id":"CVE-2021-29943","reference_type":"","scores":[{"value":"9.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-29943"},{"reference_url":"https://github.com/advisories/GHSA-vf7p-j8x6-xvwp","reference_id":"GHSA-vf7p-j8x6-xvwp","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-vf7p-j8x6-xvwp"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/115478?format=json","purl":"pkg:deb/debian/lucene-solr@0?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/lucene-solr@0%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/115476?format=json","purl":"pkg:deb/debian/lucene-solr@3.6.2%2Bdfsg-24?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/lucene-solr@3.6.2%252Bdfsg-24%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/115474?format=json","purl":"pkg:deb/debian/lucene-solr@3.6.2%2Bdfsg-26?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/lucene-solr@3.6.2%252Bdfsg-26%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/115477?format=json","purl":"pkg:deb/debian/lucene-solr@3.6.2%2Bdfsg-27?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/lucene-solr@3.6.2%252Bdfsg-27%3Fdistro=trixie"}],"aliases":["CVE-2021-29943","GHSA-vf7p-j8x6-xvwp"],"risk_score":4.5,"exploitability":"0.5","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-3zcs-eg6f-fubn"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/40044?format=json","vulnerability_id":"VCID-45ku-xn2x-3fdg","summary":"Improper Restriction of XML External Entity Reference\nThis vulnerability in Apache Solr relates to an XML external entity expansion (XXE) in Solr config files.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2018-8026.json","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2018-8026.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2018-8026","reference_id":"","reference_type":"","scores":[{"value":"0.04341","scoring_system":"epss","scoring_elements":"0.89128","published_at":"2026-06-05T12:55:00Z"},{"value":"0.04341","scoring_system":"epss","scoring_elements":"0.89111","published_at":"2026-06-04T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2018-8026"},{"reference_url":"https://github.com/advisories/GHSA-7px3-6f6g-hxcj","reference_id":"","reference_type":"","scores":[{"value":"5.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-7px3-6f6g-hxcj"},{"reference_url":"https://github.com/apache/lucene-solr/commit/1880d4824e6c5f98170b9a00aad1d437ee2aa12","reference_id":"","reference_type":"","scores":[{"value":"5.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/lucene-solr/commit/1880d4824e6c5f98170b9a00aad1d437ee2aa12"},{"reference_url":"https://github.com/apache/lucene-solr/commit/3aa6086ed99fa7158d423dc7c33dae6da466b09","reference_id":"","reference_type":"","scores":[{"value":"5.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/lucene-solr/commit/3aa6086ed99fa7158d423dc7c33dae6da466b09"},{"reference_url":"https://github.com/apache/lucene-solr/commit/d1baf6ba593561f39e2da0a71a8440797005b55","reference_id":"","reference_type":"","scores":[{"value":"5.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/lucene-solr/commit/d1baf6ba593561f39e2da0a71a8440797005b55"},{"reference_url":"https://github.com/apache/lucene-solr/commit/e21d4937e0637c7b7949ac463f331da9a42c07f","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/apache/lucene-solr/commit/e21d4937e0637c7b7949ac463f331da9a42c07f"},{"reference_url":"https://github.com/apache/lucene-solr/commit/e5407c5a9710247e5f728aae36224a245a51f0b","reference_id":"","reference_type":"","scores":[{"value":"5.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/lucene-solr/commit/e5407c5a9710247e5f728aae36224a245a51f0b"},{"reference_url":"https://issues.apache.org/jira/browse/SOLR-12450","reference_id":"","reference_type":"","scores":[{"value":"5.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://issues.apache.org/jira/browse/SOLR-12450"},{"reference_url":"https://mail-archives.apache.org/mod_mbox/lucene-solr-user/201807.mbox/%3C0cdc01d413b7%24f97ba580%24ec72f080%24%40apache.org%3E","reference_id":"","reference_type":"","scores":[{"value":"5.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://mail-archives.apache.org/mod_mbox/lucene-solr-user/201807.mbox/%3C0cdc01d413b7%24f97ba580%24ec72f080%24%40apache.org%3E"},{"reference_url":"https://security.netapp.com/advisory/ntap-20190307-0002","reference_id":"","reference_type":"","scores":[{"value":"5.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://security.netapp.com/advisory/ntap-20190307-0002"},{"reference_url":"http://www.securityfocus.com/bid/104690","reference_id":"","reference_type":"","scores":[],"url":"http://www.securityfocus.com/bid/104690"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=1598621","reference_id":"1598621","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=1598621"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2018-8026","reference_id":"CVE-2018-8026","reference_type":"","scores":[{"value":"5.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2018-8026"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/115478?format=json","purl":"pkg:deb/debian/lucene-solr@0?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/lucene-solr@0%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/115476?format=json","purl":"pkg:deb/debian/lucene-solr@3.6.2%2Bdfsg-24?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/lucene-solr@3.6.2%252Bdfsg-24%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/115474?format=json","purl":"pkg:deb/debian/lucene-solr@3.6.2%2Bdfsg-26?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/lucene-solr@3.6.2%252Bdfsg-26%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/115477?format=json","purl":"pkg:deb/debian/lucene-solr@3.6.2%2Bdfsg-27?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/lucene-solr@3.6.2%252Bdfsg-27%3Fdistro=trixie"}],"aliases":["CVE-2018-8026","GHSA-7px3-6f6g-hxcj"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-45ku-xn2x-3fdg"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/92492?format=json","vulnerability_id":"VCID-47b2-8kgs-yugd","summary":"Multiple cross-site scripting (XSS) vulnerabilities in the Admin UI in Apache Solr before 5.1 allow remote attackers to inject arbitrary web script or HTML via crafted fields that are mishandled during the rendering of the (1) Analysis page, related to webapp/web/js/scripts/analysis.js or (2) Schema-Browser page, related to webapp/web/js/scripts/schema-browser.js.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2015-8795","reference_id":"","reference_type":"","scores":[{"value":"0.02559","scoring_system":"epss","scoring_elements":"0.85787","published_at":"2026-06-04T12:55:00Z"},{"value":"0.02559","scoring_system":"epss","scoring_elements":"0.85809","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2015-8795"},{"reference_url":"https://issues.apache.org/jira/browse/SOLR-7346","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://issues.apache.org/jira/browse/SOLR-7346"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2015-8795","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2015-8795"},{"reference_url":"https://github.com/advisories/GHSA-mx2h-hf7j-2x3p","reference_id":"GHSA-mx2h-hf7j-2x3p","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-mx2h-hf7j-2x3p"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/115478?format=json","purl":"pkg:deb/debian/lucene-solr@0?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/lucene-solr@0%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/115476?format=json","purl":"pkg:deb/debian/lucene-solr@3.6.2%2Bdfsg-24?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/lucene-solr@3.6.2%252Bdfsg-24%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/115474?format=json","purl":"pkg:deb/debian/lucene-solr@3.6.2%2Bdfsg-26?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/lucene-solr@3.6.2%252Bdfsg-26%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/115477?format=json","purl":"pkg:deb/debian/lucene-solr@3.6.2%2Bdfsg-27?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/lucene-solr@3.6.2%252Bdfsg-27%3Fdistro=trixie"}],"aliases":["CVE-2015-8795","GHSA-mx2h-hf7j-2x3p"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-47b2-8kgs-yugd"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/46831?format=json","vulnerability_id":"VCID-4n2d-437t-dufq","summary":"Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache Solr.\nThe Solr Metrics API publishes all unprotected environment variables available to each Apache Solr instance. Users are able to specify which environment variables to hide, however, the default list is designed to work for known secret Java system properties. Environment variables cannot be strictly defined in Solr, like Java system properties can be, and may be set for the entire host, unlike Java system properties which are set per-Java-proccess.\n\nThe Solr Metrics API is protected by the \"metrics-read\" permission.\nTherefore, Solr Clouds with Authorization setup will only be vulnerable via users with the \"metrics-read\" permission.\nThis issue affects Apache Solr: from 9.0.0 before 9.3.0.\n\nUsers are recommended to upgrade to version 9.3.0 or later, in which environment variables are not published via the Metrics API.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-50290.json","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-50290.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2023-50290","reference_id":"","reference_type":"","scores":[{"value":"0.92953","scoring_system":"epss","scoring_elements":"0.99784","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2023-50290"},{"reference_url":"https://github.com/apache/lucene-solr","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/lucene-solr"},{"reference_url":"https://github.com/apache/solr/commit/35fc4bdc48171d9a64251c54a1e76deb558cf9d8","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/solr/commit/35fc4bdc48171d9a64251c54a1e76deb558cf9d8"},{"reference_url":"https://issues.apache.org/jira/browse/SOLR-16808","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://issues.apache.org/jira/browse/SOLR-16808"},{"reference_url":"https://solr.apache.org/security.html#cve-2023-50290-apache-solr-allows-read-access-to-host-environment-variables","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-05-09T20:17:07Z/"}],"url":"https://solr.apache.org/security.html#cve-2023-50290-apache-solr-allows-read-access-to-host-environment-variables"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2258132","reference_id":"2258132","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2258132"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2023-50290","reference_id":"CVE-2023-50290","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-50290"},{"reference_url":"https://github.com/advisories/GHSA-gg7w-pw2r-x2cq","reference_id":"GHSA-gg7w-pw2r-x2cq","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-gg7w-pw2r-x2cq"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/115478?format=json","purl":"pkg:deb/debian/lucene-solr@0?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/lucene-solr@0%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/115476?format=json","purl":"pkg:deb/debian/lucene-solr@3.6.2%2Bdfsg-24?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/lucene-solr@3.6.2%252Bdfsg-24%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/115474?format=json","purl":"pkg:deb/debian/lucene-solr@3.6.2%2Bdfsg-26?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/lucene-solr@3.6.2%252Bdfsg-26%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/115477?format=json","purl":"pkg:deb/debian/lucene-solr@3.6.2%2Bdfsg-27?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/lucene-solr@3.6.2%252Bdfsg-27%3Fdistro=trixie"}],"aliases":["CVE-2023-50290","GHSA-gg7w-pw2r-x2cq"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-4n2d-437t-dufq"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/56030?format=json","vulnerability_id":"VCID-56rn-pmha-mucx","summary":"Insecure Default Initialization of Resource vulnerability in Apache Solr\nNew ConfigSets that are created via a Restore command, which copy a configSet from the backup and give it a new name, are created without setting the \"trusted\" metadata.\nConfigSets that do not contain the flag are trusted implicitly if the metadata is missing, therefore this leads to \"trusted\" ConfigSets that may not have been created with an Authenticated request.\n\"trusted\" ConfigSets are able to load custom code into classloaders, therefore the flag is supposed to only be set when the request that uploads the ConfigSet is Authenticated & Authorized.\n\nThis issue affects Apache Solr: from 6.6.0 before 8.11.4, from 9.0.0 before 9.7.0. This issue does not affect Solr instances that are secured via Authentication/Authorization.\n\nUsers are primarily recommended to use Authentication and Authorization when running Solr. However, upgrading to version 9.7.0, or 8.11.4 will mitigate this issue otherwise.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-45217","reference_id":"","reference_type":"","scores":[{"value":"0.00146","scoring_system":"epss","scoring_elements":"0.34724","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-45217"},{"reference_url":"https://issues.apache.org/jira/browse/SOLR-17418","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://issues.apache.org/jira/browse/SOLR-17418"},{"reference_url":"https://solr.apache.org/security.html#cve-2024-45217-apache-solr-configsets-created-during-a-backup-restore-command-are-trusted-implicitly","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-10-16T14:59:42Z/"}],"url":"https://solr.apache.org/security.html#cve-2024-45217-apache-solr-configsets-created-during-a-backup-restore-command-are-trusted-implicitly"},{"reference_url":"http://svn.apache.org/viewvc/lucene/dev/branches/branch_4x/solr/webapp","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://svn.apache.org/viewvc/lucene/dev/branches/branch_4x/solr/webapp"},{"reference_url":"http://www.openwall.com/lists/oss-security/2024/10/15/9","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.openwall.com/lists/oss-security/2024/10/15/9"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-45217","reference_id":"CVE-2024-45217","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-45217"},{"reference_url":"https://github.com/advisories/GHSA-h7w9-c5vx-x7j3","reference_id":"GHSA-h7w9-c5vx-x7j3","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-h7w9-c5vx-x7j3"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/115478?format=json","purl":"pkg:deb/debian/lucene-solr@0?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/lucene-solr@0%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/115476?format=json","purl":"pkg:deb/debian/lucene-solr@3.6.2%2Bdfsg-24?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/lucene-solr@3.6.2%252Bdfsg-24%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/115474?format=json","purl":"pkg:deb/debian/lucene-solr@3.6.2%2Bdfsg-26?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/lucene-solr@3.6.2%252Bdfsg-26%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/115477?format=json","purl":"pkg:deb/debian/lucene-solr@3.6.2%2Bdfsg-27?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/lucene-solr@3.6.2%252Bdfsg-27%3Fdistro=trixie"}],"aliases":["CVE-2024-45217","GHSA-h7w9-c5vx-x7j3"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-56rn-pmha-mucx"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/54334?format=json","vulnerability_id":"VCID-69cb-ed9r-guda","summary":"Insufficiently Protected Credentials\nWhen starting Apache Solr, configured with the `SaslZkACLProvider` or `VMParamsAllAndReadonlyDigestZkACLProvider` and no existing `security.json` `znode`, if the optional read-only user is configured then Solr would not treat that node as a sensitive path and would allow it to be readable. Additionally, with any `ZkACLProvider`, if the `security.json` is already present, Solr will not automatically update the ACLs.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-29262.json","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-29262.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-29262","reference_id":"","reference_type":"","scores":[{"value":"0.26231","scoring_system":"epss","scoring_elements":"0.96403","published_at":"2026-06-05T12:55:00Z"},{"value":"0.26231","scoring_system":"epss","scoring_elements":"0.96398","published_at":"2026-06-04T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-29262"},{"reference_url":"https://issues.apache.org/jira/browse/SOLR-15249","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://issues.apache.org/jira/browse/SOLR-15249"},{"reference_url":"https://lists.apache.org/thread.html/r1171f6417eeb6d5e1206d53e2b2ff2d6ee14026f8b595ef7d8a33b79@%3Coak-issues.jackrabbit.apache.org%3E","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread.html/r1171f6417eeb6d5e1206d53e2b2ff2d6ee14026f8b595ef7d8a33b79@%3Coak-issues.jackrabbit.apache.org%3E"},{"reference_url":"https://lists.apache.org/thread.html/r1e92a2eff6c47a65c4a6e95e809a9707181de76f8062403a0bea1012@%3Coak-issues.jackrabbit.apache.org%3E","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread.html/r1e92a2eff6c47a65c4a6e95e809a9707181de76f8062403a0bea1012@%3Coak-issues.jackrabbit.apache.org%3E"},{"reference_url":"https://lists.apache.org/thread.html/r51b29ff62060b67bc9999ded5e252b36b09311fe5a02d27f6de3e4d3@%3Coak-issues.jackrabbit.apache.org%3E","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread.html/r51b29ff62060b67bc9999ded5e252b36b09311fe5a02d27f6de3e4d3@%3Coak-issues.jackrabbit.apache.org%3E"},{"reference_url":"https://lists.apache.org/thread.html/r536da4c4e4e406f7843461cc754a3d0a3fe575aa576e2b71a9cd57d0%40%3Cannounce.apache.org%3E","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread.html/r536da4c4e4e406f7843461cc754a3d0a3fe575aa576e2b71a9cd57d0%40%3Cannounce.apache.org%3E"},{"reference_url":"https://lists.apache.org/thread.html/r7151081abab92a827a607205c4260b0a3d22280b52d15bc909177608@%3Coak-issues.jackrabbit.apache.org%3E","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread.html/r7151081abab92a827a607205c4260b0a3d22280b52d15bc909177608@%3Coak-issues.jackrabbit.apache.org%3E"},{"reference_url":"https://lists.apache.org/thread.html/r8d35eeb9a470d2682b5bcf3be0b8942faa7e28f9ca5861c058d17fff@%3Coak-issues.jackrabbit.apache.org%3E","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread.html/r8d35eeb9a470d2682b5bcf3be0b8942faa7e28f9ca5861c058d17fff@%3Coak-issues.jackrabbit.apache.org%3E"},{"reference_url":"https://lists.apache.org/thread.html/r9c4ce6903218c92ef2583070e64af5a69e483821c4b3016dc41e3c6f@%3Coak-issues.jackrabbit.apache.org%3E","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread.html/r9c4ce6903218c92ef2583070e64af5a69e483821c4b3016dc41e3c6f@%3Coak-issues.jackrabbit.apache.org%3E"},{"reference_url":"https://lists.apache.org/thread.html/rb6db683903174eaa44ec80cc118a38574319b0d4181f36b61ee6278f@%3Cdev.jackrabbit.apache.org%3E","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread.html/rb6db683903174eaa44ec80cc118a38574319b0d4181f36b61ee6278f@%3Cdev.jackrabbit.apache.org%3E"},{"reference_url":"https://lists.apache.org/thread.html/rbc680cbfd745f22d182158217428a296e8e398cde16f3f428fe4bddc@%3Coak-issues.jackrabbit.apache.org%3E","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread.html/rbc680cbfd745f22d182158217428a296e8e398cde16f3f428fe4bddc@%3Coak-issues.jackrabbit.apache.org%3E"},{"reference_url":"https://lists.apache.org/thread.html/rd85f87e559ee27e9c69795e3ad93a77621895e0328ea3df41d711d72@%3Coak-commits.jackrabbit.apache.org%3E","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread.html/rd85f87e559ee27e9c69795e3ad93a77621895e0328ea3df41d711d72@%3Coak-commits.jackrabbit.apache.org%3E"},{"reference_url":"https://lists.apache.org/thread.html/ref84e60192f4bdc3206b247f260513e8d4e71f3e200792f75386d07a@%3Cdev.jackrabbit.apache.org%3E","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread.html/ref84e60192f4bdc3206b247f260513e8d4e71f3e200792f75386d07a@%3Cdev.jackrabbit.apache.org%3E"},{"reference_url":"https://security.netapp.com/advisory/ntap-20210604-0009","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://security.netapp.com/advisory/ntap-20210604-0009"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=1949520","reference_id":"1949520","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=1949520"},{"reference_url":"https://security.archlinux.org/AVG-1808","reference_id":"AVG-1808","reference_type":"","scores":[{"value":"Medium","scoring_system":"archlinux","scoring_elements":""}],"url":"https://security.archlinux.org/AVG-1808"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2021-29262","reference_id":"CVE-2021-29262","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-29262"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/115478?format=json","purl":"pkg:deb/debian/lucene-solr@0?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/lucene-solr@0%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/115476?format=json","purl":"pkg:deb/debian/lucene-solr@3.6.2%2Bdfsg-24?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/lucene-solr@3.6.2%252Bdfsg-24%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/115474?format=json","purl":"pkg:deb/debian/lucene-solr@3.6.2%2Bdfsg-26?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/lucene-solr@3.6.2%252Bdfsg-26%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/115477?format=json","purl":"pkg:deb/debian/lucene-solr@3.6.2%2Bdfsg-27?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/lucene-solr@3.6.2%252Bdfsg-27%3Fdistro=trixie"}],"aliases":["CVE-2021-29262","GHSA-jgcr-fg3g-qvw8"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-69cb-ed9r-guda"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/42359?format=json","vulnerability_id":"VCID-8t99-tkmu-t3e7","summary":"Incorrect Authorization in Apache Solr\nApache Solr versions 6.6.0 to 6.6.6, 7.0.0 to 7.7.3 and 8.0.0 to 8.6.2 prevents some features considered dangerous (which could be used for remote code execution) to be configured in a ConfigSet that's uploaded via API without authentication/authorization. The checks in place to prevent such features can be circumvented by using a combination of UPLOAD/CREATE actions. This issue is patched in 8.6.3.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-13957.json","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-13957.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2020-13957","reference_id":"","reference_type":"","scores":[{"value":"0.84821","scoring_system":"epss","scoring_elements":"0.99359","published_at":"2026-06-05T12:55:00Z"},{"value":"0.84821","scoring_system":"epss","scoring_elements":"0.99358","published_at":"2026-06-04T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2020-13957"},{"reference_url":"https://github.com/apache/lucene-solr","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/lucene-solr"},{"reference_url":"https://github.com/apache/solr/commit/e001c2221812a0ba9e9378855040ce72f93eced4","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/solr/commit/e001c2221812a0ba9e9378855040ce72f93eced4"},{"reference_url":"https://lists.apache.org/thread.html/r13a728994c60be5b5a7049282b5c926dac1fc6a9a0b2362f6adfa573@%3Cissues.lucene.apache.org%3E","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread.html/r13a728994c60be5b5a7049282b5c926dac1fc6a9a0b2362f6adfa573@%3Cissues.lucene.apache.org%3E"},{"reference_url":"https://lists.apache.org/thread.html/r1c783d3d81ba62f3381a17a4d6c826f7dead3a132ba42349c90df075@%3Ccommits.lucene.apache.org%3E","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread.html/r1c783d3d81ba62f3381a17a4d6c826f7dead3a132ba42349c90df075@%3Ccommits.lucene.apache.org%3E"},{"reference_url":"https://lists.apache.org/thread.html/r1d4a247329a8478073163567bbc8c8cb6b49c6bfc2bf58153a857af1@%3Ccommits.druid.apache.org%3E","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread.html/r1d4a247329a8478073163567bbc8c8cb6b49c6bfc2bf58153a857af1@%3Ccommits.druid.apache.org%3E"},{"reference_url":"https://lists.apache.org/thread.html/r2236fdf99ac3efbfc36c2df96d3a88f822baa6f45e13fec7ff558e34@%3Cdev.bigtop.apache.org%3E","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread.html/r2236fdf99ac3efbfc36c2df96d3a88f822baa6f45e13fec7ff558e34@%3Cdev.bigtop.apache.org%3E"},{"reference_url":"https://lists.apache.org/thread.html/r226c1112bb41e7cd427862d875eff9877a20a40242c2542f4dd39e4a@%3Cissues.lucene.apache.org%3E","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread.html/r226c1112bb41e7cd427862d875eff9877a20a40242c2542f4dd39e4a@%3Cissues.lucene.apache.org%3E"},{"reference_url":"https://lists.apache.org/thread.html/r2a6600fe9afd502c04d26fd112823ec3f3c3ad1b4a289d10567a78a0@%3Cdev.bigtop.apache.org%3E","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread.html/r2a6600fe9afd502c04d26fd112823ec3f3c3ad1b4a289d10567a78a0@%3Cdev.bigtop.apache.org%3E"},{"reference_url":"https://lists.apache.org/thread.html/r2f8d33a4de07db9459fb2a98a1cd39747066137636b53f84a13e5628@%3Cissues.lucene.apache.org%3E","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread.html/r2f8d33a4de07db9459fb2a98a1cd39747066137636b53f84a13e5628@%3Cissues.lucene.apache.org%3E"},{"reference_url":"https://lists.apache.org/thread.html/r3d1e24a73e6bffa1d6534e1f34c8f5cbd9999495e7d933640f4fa0ed@%3Cissues.lucene.apache.org%3E","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread.html/r3d1e24a73e6bffa1d6534e1f34c8f5cbd9999495e7d933640f4fa0ed@%3Cissues.lucene.apache.org%3E"},{"reference_url":"https://lists.apache.org/thread.html/r3da9895cea476bcee2557531bebd4e8f6f367dc3ea900a65e2f51cd8@%3Cissues.bigtop.apache.org%3E","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread.html/r3da9895cea476bcee2557531bebd4e8f6f367dc3ea900a65e2f51cd8@%3Cissues.bigtop.apache.org%3E"},{"reference_url":"https://lists.apache.org/thread.html/r4ca8ba5980d9049cf3707798aa3116ee76c1582f171ff452ad2ca75e@%3Cissues.lucene.apache.org%3E","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread.html/r4ca8ba5980d9049cf3707798aa3116ee76c1582f171ff452ad2ca75e@%3Cissues.lucene.apache.org%3E"},{"reference_url":"https://lists.apache.org/thread.html/r5557641fcf5cfd99260a7037cfbc8788fb546b72c98a900570edaa2e@%3Cissues.lucene.apache.org%3E","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread.html/r5557641fcf5cfd99260a7037cfbc8788fb546b72c98a900570edaa2e@%3Cissues.lucene.apache.org%3E"},{"reference_url":"https://lists.apache.org/thread.html/r622a043c2890327f8a4aea16b131e8a7137a282a004614369fceb224@%3Cdev.bigtop.apache.org%3E","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread.html/r622a043c2890327f8a4aea16b131e8a7137a282a004614369fceb224@%3Cdev.bigtop.apache.org%3E"},{"reference_url":"https://lists.apache.org/thread.html/r7512ae552cd9d14ab8b1bc0a7e95f2ec52ae85364f068d4034398ede@%3Cissues.lucene.apache.org%3E","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread.html/r7512ae552cd9d14ab8b1bc0a7e95f2ec52ae85364f068d4034398ede@%3Cissues.lucene.apache.org%3E"},{"reference_url":"https://lists.apache.org/thread.html/r853fdc6d0b91d5e01a26c7bd5becb044ad775a231703d634ca5d55c9@%3Cissues.lucene.apache.org%3E","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread.html/r853fdc6d0b91d5e01a26c7bd5becb044ad775a231703d634ca5d55c9@%3Cissues.lucene.apache.org%3E"},{"reference_url":"https://lists.apache.org/thread.html/r8b1782d42d0a4ce573495d5d9345ad328d652c68c411ccdb245c57e3@%3Cissues.lucene.apache.org%3E","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread.html/r8b1782d42d0a4ce573495d5d9345ad328d652c68c411ccdb245c57e3@%3Cissues.lucene.apache.org%3E"},{"reference_url":"https://lists.apache.org/thread.html/r999f828e6e37d9e825e207471cbfd2681c3befcd7f3abd59ed87c0d5@%3Cissues.bigtop.apache.org%3E","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread.html/r999f828e6e37d9e825e207471cbfd2681c3befcd7f3abd59ed87c0d5@%3Cissues.bigtop.apache.org%3E"},{"reference_url":"https://lists.apache.org/thread.html/r9d7356f209ee30d702b6a921c866564eb2e291b126640c7ab70feea7@%3Ccommits.lucene.apache.org%3E","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread.html/r9d7356f209ee30d702b6a921c866564eb2e291b126640c7ab70feea7@%3Ccommits.lucene.apache.org%3E"},{"reference_url":"https://lists.apache.org/thread.html/rb1de6ba50a468e9baff32a249edaa08f6bcec7dd7cc208e25e6b48c8@%3Cissues.bigtop.apache.org%3E","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread.html/rb1de6ba50a468e9baff32a249edaa08f6bcec7dd7cc208e25e6b48c8@%3Cissues.bigtop.apache.org%3E"},{"reference_url":"https://lists.apache.org/thread.html/rb2f1c7fd3d3ea719dfac4706a80e6affddecae8663dda04e1335347f@%3Ccommits.bigtop.apache.org%3E","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread.html/rb2f1c7fd3d3ea719dfac4706a80e6affddecae8663dda04e1335347f@%3Ccommits.bigtop.apache.org%3E"},{"reference_url":"https://lists.apache.org/thread.html/rf1a32f00017e83ff29a74be2de02e28e4302dddb5f14c624e297a8c0@%3Cdev.bigtop.apache.org%3E","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread.html/rf1a32f00017e83ff29a74be2de02e28e4302dddb5f14c624e297a8c0@%3Cdev.bigtop.apache.org%3E"},{"reference_url":"https://mail-archives.us.apache.org/mod_mbox/www-announce/202010.mbox/%3CCAECwjAWCVLoVaZy%3DTNRQ6Wk9KWVxdPRiGS8NT%2BPHMJCxbbsEVg%40mail.gmail.com%3E","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://mail-archives.us.apache.org/mod_mbox/www-announce/202010.mbox/%3CCAECwjAWCVLoVaZy%3DTNRQ6Wk9KWVxdPRiGS8NT%2BPHMJCxbbsEVg%40mail.gmail.com%3E"},{"reference_url":"https://security.netapp.com/advisory/ntap-20201023-0002","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://security.netapp.com/advisory/ntap-20201023-0002"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=1890514","reference_id":"1890514","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=1890514"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2020-13957","reference_id":"CVE-2020-13957","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2020-13957"},{"reference_url":"https://github.com/advisories/GHSA-3c7p-vv5r-cmr5","reference_id":"GHSA-3c7p-vv5r-cmr5","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-3c7p-vv5r-cmr5"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/115478?format=json","purl":"pkg:deb/debian/lucene-solr@0?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/lucene-solr@0%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/115476?format=json","purl":"pkg:deb/debian/lucene-solr@3.6.2%2Bdfsg-24?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/lucene-solr@3.6.2%252Bdfsg-24%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/115474?format=json","purl":"pkg:deb/debian/lucene-solr@3.6.2%2Bdfsg-26?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/lucene-solr@3.6.2%252Bdfsg-26%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/115477?format=json","purl":"pkg:deb/debian/lucene-solr@3.6.2%2Bdfsg-27?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/lucene-solr@3.6.2%252Bdfsg-27%3Fdistro=trixie"}],"aliases":["CVE-2020-13957","GHSA-3c7p-vv5r-cmr5"],"risk_score":10.0,"exploitability":"2.0","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-8t99-tkmu-t3e7"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/92491?format=json","vulnerability_id":"VCID-a861-czga-67dt","summary":"Cross-site scripting (XSS) vulnerability in the Admin UI Plugin / Stats page in Apache Solr 4.x before 4.10.3 allows remote attackers to inject arbitrary web script or HTML via the fieldvaluecache object.","references":[{"reference_url":"http://mail-archives.us.apache.org/mod_mbox/www-announce/201412.mbox/%3C54A1A7C7.2070804@apache.org%3E","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://mail-archives.us.apache.org/mod_mbox/www-announce/201412.mbox/%3C54A1A7C7.2070804@apache.org%3E"},{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2014-3628.json","reference_id":"","reference_type":"","scores":[],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2014-3628.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2014-3628","reference_id":"","reference_type":"","scores":[{"value":"0.01382","scoring_system":"epss","scoring_elements":"0.80639","published_at":"2026-06-04T12:55:00Z"},{"value":"0.01382","scoring_system":"epss","scoring_elements":"0.80666","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2014-3628"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2014-3628","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2014-3628"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=1179795","reference_id":"1179795","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=1179795"},{"reference_url":"https://github.com/advisories/GHSA-wgw2-gw4v-9w4j","reference_id":"GHSA-wgw2-gw4v-9w4j","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-wgw2-gw4v-9w4j"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/115478?format=json","purl":"pkg:deb/debian/lucene-solr@0?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/lucene-solr@0%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/115476?format=json","purl":"pkg:deb/debian/lucene-solr@3.6.2%2Bdfsg-24?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/lucene-solr@3.6.2%252Bdfsg-24%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/115474?format=json","purl":"pkg:deb/debian/lucene-solr@3.6.2%2Bdfsg-26?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/lucene-solr@3.6.2%252Bdfsg-26%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/115477?format=json","purl":"pkg:deb/debian/lucene-solr@3.6.2%2Bdfsg-27?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/lucene-solr@3.6.2%252Bdfsg-27%3Fdistro=trixie"}],"aliases":["CVE-2014-3628","GHSA-wgw2-gw4v-9w4j"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-a861-czga-67dt"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/38849?format=json","vulnerability_id":"VCID-atn8-a9f2-hqbq","summary":"Privilege escalation\nSolr's Kerberos plugin can be configured to use delegation tokens, which allows an application to reuse the authentication of an end-user or another application. There are two issues with this functionality (when using `SecurityAwareZkACLProvider` type of ACL provider e.g. `SaslZkACLProvider`). Firstly, access to the security configuration can be leaked to users other than the solr super user. Secondly, malicious users can exploit this leaked configuration for privilege escalation to further expose/modify private data and/or disrupt operations in the Solr cluster.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2017-9803.json","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2017-9803.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2017-9803","reference_id":"","reference_type":"","scores":[{"value":"0.01235","scoring_system":"epss","scoring_elements":"0.79575","published_at":"2026-06-05T12:55:00Z"},{"value":"0.01235","scoring_system":"epss","scoring_elements":"0.79548","published_at":"2026-06-04T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2017-9803"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9803","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9803"},{"reference_url":"https://github.com/apache/lucene-solr/commit/b091934f9e98568b848d0584a1145c8e514cbd21","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/apache/lucene-solr/commit/b091934f9e98568b848d0584a1145c8e514cbd21"},{"reference_url":"https://issues.apache.org/jira/browse/SOLR-11184","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://issues.apache.org/jira/browse/SOLR-11184"},{"reference_url":"https://lists.apache.org/thread/f4rbt657n9x4kb74k1txhcojof5dzol5","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread/f4rbt657n9x4kb74k1txhcojof5dzol5"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2017-9803","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2017-9803"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=1493507","reference_id":"1493507","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=1493507"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/115478?format=json","purl":"pkg:deb/debian/lucene-solr@0?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/lucene-solr@0%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/115476?format=json","purl":"pkg:deb/debian/lucene-solr@3.6.2%2Bdfsg-24?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/lucene-solr@3.6.2%252Bdfsg-24%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/115474?format=json","purl":"pkg:deb/debian/lucene-solr@3.6.2%2Bdfsg-26?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/lucene-solr@3.6.2%252Bdfsg-26%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/115477?format=json","purl":"pkg:deb/debian/lucene-solr@3.6.2%2Bdfsg-27?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/lucene-solr@3.6.2%252Bdfsg-27%3Fdistro=trixie"}],"aliases":["CVE-2017-9803","GHSA-f553-j2gv-g5r9"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-atn8-a9f2-hqbq"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/49789?format=json","vulnerability_id":"VCID-btfr-9waw-x7cw","summary":"Apache Solr: Insufficient file-access checking in standalone core-creation requests\nThe \"create core\" API of Apache Solr 8.6 through 9.10.0 lacks sufficient input validation on some API parameters, which can cause Solr to check the existence of and attempt to read file-system paths that should be disallowed by Solr's  \"allowPaths\" security setting https://https://solr.apache.org/guide/solr/latest/configuration-guide/configuring-solr-xml.html#the-solr-element .  These read-only accesses can allow users to create cores using unexpected configsets if any are accessible via the filesystem.  On Windows systems configured to allow UNC paths this can additionally cause disclosure of NTLM \"user\" hashes.\n\nSolr deployments are subject to this vulnerability if they meet the following criteria:\n*  Solr is running in its \"standalone\" mode.\n*  Solr's \"allowPath\" setting is being used to restrict file access to certain directories.\n*  Solr's \"create core\" API is exposed and accessible to untrusted users.  This can happen if Solr's  RuleBasedAuthorizationPlugin https://solr.apache.org/guide/solr/latest/deployment-guide/rule-based-authorization-plugin.html  is disabled, or if it is enabled but the \"core-admin-edit\" predefined permission (or an equivalent custom permission) is given to low-trust (i.e. non-admin) user roles.\n\nUsers can mitigate this by enabling Solr's RuleBasedAuthorizationPlugin (if disabled) and configuring a permission-list that prevents untrusted users from creating new Solr cores.  Users should also upgrade to Apache Solr 9.10.1 or greater, which contain fixes for this issue.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-22444.json","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-22444.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-22444","reference_id":"","reference_type":"","scores":[{"value":"0.00035","scoring_system":"epss","scoring_elements":"0.1086","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-22444"},{"reference_url":"https://github.com/apache/solr","reference_id":"","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/solr"},{"reference_url":"https://issues.apache.org/jira/browse/SOLR-18058","reference_id":"","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://issues.apache.org/jira/browse/SOLR-18058"},{"reference_url":"https://lists.apache.org/thread/qkrb9dd4xrlqmmq73lrhkbfkttto2d1m","reference_id":"","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-21T15:38:26Z/"}],"url":"https://lists.apache.org/thread/qkrb9dd4xrlqmmq73lrhkbfkttto2d1m"},{"reference_url":"http://www.openwall.com/lists/oss-security/2026/01/20/5","reference_id":"","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.openwall.com/lists/oss-security/2026/01/20/5"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2431604","reference_id":"2431604","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2431604"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-22444","reference_id":"CVE-2026-22444","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-22444"},{"reference_url":"https://github.com/advisories/GHSA-vc2w-4v3p-2mqw","reference_id":"GHSA-vc2w-4v3p-2mqw","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-vc2w-4v3p-2mqw"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/115478?format=json","purl":"pkg:deb/debian/lucene-solr@0?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/lucene-solr@0%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/115476?format=json","purl":"pkg:deb/debian/lucene-solr@3.6.2%2Bdfsg-24?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/lucene-solr@3.6.2%252Bdfsg-24%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/115474?format=json","purl":"pkg:deb/debian/lucene-solr@3.6.2%2Bdfsg-26?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/lucene-solr@3.6.2%252Bdfsg-26%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/115477?format=json","purl":"pkg:deb/debian/lucene-solr@3.6.2%2Bdfsg-27?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/lucene-solr@3.6.2%252Bdfsg-27%3Fdistro=trixie"}],"aliases":["CVE-2026-22444","GHSA-vc2w-4v3p-2mqw"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-btfr-9waw-x7cw"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/92493?format=json","vulnerability_id":"VCID-btns-tmqb-b3cp","summary":"Cross-site scripting (XSS) vulnerability in webapp/web/js/scripts/schema-browser.js in the Admin UI in Apache Solr before 5.3 allows remote attackers to inject arbitrary web script or HTML via a crafted schema-browse URL.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2015-8796","reference_id":"","reference_type":"","scores":[{"value":"0.02552","scoring_system":"epss","scoring_elements":"0.85794","published_at":"2026-06-05T12:55:00Z"},{"value":"0.02552","scoring_system":"epss","scoring_elements":"0.85772","published_at":"2026-06-04T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2015-8796"},{"reference_url":"https://github.com/apache/lucene/commit/dc2f2295e0a6c6574f033f295dc0c9adb7660df9","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/lucene/commit/dc2f2295e0a6c6574f033f295dc0c9adb7660df9"},{"reference_url":"https://github.com/apache/solr","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/solr"},{"reference_url":"https://github.com/apache/solr/commit/dc2f2295e0a6c6574f033f295dc0c9adb7660df9","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/solr/commit/dc2f2295e0a6c6574f033f295dc0c9adb7660df9"},{"reference_url":"https://issues.apache.org/jira/browse/SOLR-7920","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://issues.apache.org/jira/browse/SOLR-7920"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2015-8796","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2015-8796"},{"reference_url":"https://web.archive.org/web/20200227160406/http://www.securityfocus.com/bid/85205","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://web.archive.org/web/20200227160406/http://www.securityfocus.com/bid/85205"},{"reference_url":"https://github.com/advisories/GHSA-4fxw-g29w-r8mx","reference_id":"GHSA-4fxw-g29w-r8mx","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-4fxw-g29w-r8mx"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/115478?format=json","purl":"pkg:deb/debian/lucene-solr@0?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/lucene-solr@0%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/115476?format=json","purl":"pkg:deb/debian/lucene-solr@3.6.2%2Bdfsg-24?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/lucene-solr@3.6.2%252Bdfsg-24%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/115474?format=json","purl":"pkg:deb/debian/lucene-solr@3.6.2%2Bdfsg-26?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/lucene-solr@3.6.2%252Bdfsg-26%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/115477?format=json","purl":"pkg:deb/debian/lucene-solr@3.6.2%2Bdfsg-27?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/lucene-solr@3.6.2%252Bdfsg-27%3Fdistro=trixie"}],"aliases":["CVE-2015-8796","GHSA-4fxw-g29w-r8mx"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-btns-tmqb-b3cp"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/56032?format=json","vulnerability_id":"VCID-cerg-yt1u-pua1","summary":"Improper Authentication vulnerability in Apache Solr\nSolr instances using the PKIAuthenticationPlugin, which is enabled by default when Solr Authentication is used, are vulnerable to Authentication bypass. A fake ending at the end of any Solr API URL path, will allow requests to skip Authentication while maintaining the API contract with the original URL Path. This fake ending looks like an unprotected API path, however it is stripped off internally after authentication but before API routing.\n\n\nThis issue affects Apache Solr: from 5.3.0 before 8.11.4, from 9.0.0 before 9.7.0.\n\nUsers are recommended to upgrade to version 9.7.0, or 8.11.4, which fix the issue.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-45216","reference_id":"","reference_type":"","scores":[{"value":"0.9408","scoring_system":"epss","scoring_elements":"0.99909","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-45216"},{"reference_url":"https://issues.apache.org/jira/browse/SOLR-17417","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"9.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://issues.apache.org/jira/browse/SOLR-17417"},{"reference_url":"https://solr.apache.org/security.html#cve-2024-45216-apache-solr-authentication-bypass-possible-using-a-fake-url-path-ending","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"9.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2024-10-16T17:02:39Z/"}],"url":"https://solr.apache.org/security.html#cve-2024-45216-apache-solr-authentication-bypass-possible-using-a-fake-url-path-ending"},{"reference_url":"http://svn.apache.org/viewvc/lucene/dev/branches/branch_4x/solr/webapp","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"9.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://svn.apache.org/viewvc/lucene/dev/branches/branch_4x/solr/webapp"},{"reference_url":"http://www.openwall.com/lists/oss-security/2024/10/15/8","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"9.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.openwall.com/lists/oss-security/2024/10/15/8"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-45216","reference_id":"CVE-2024-45216","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"9.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-45216"},{"reference_url":"https://github.com/advisories/GHSA-mjvf-4h88-6xm3","reference_id":"GHSA-mjvf-4h88-6xm3","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-mjvf-4h88-6xm3"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/115478?format=json","purl":"pkg:deb/debian/lucene-solr@0?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/lucene-solr@0%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/115476?format=json","purl":"pkg:deb/debian/lucene-solr@3.6.2%2Bdfsg-24?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/lucene-solr@3.6.2%252Bdfsg-24%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/115474?format=json","purl":"pkg:deb/debian/lucene-solr@3.6.2%2Bdfsg-26?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/lucene-solr@3.6.2%252Bdfsg-26%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/115477?format=json","purl":"pkg:deb/debian/lucene-solr@3.6.2%2Bdfsg-27?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/lucene-solr@3.6.2%252Bdfsg-27%3Fdistro=trixie"}],"aliases":["CVE-2024-45216","GHSA-mjvf-4h88-6xm3"],"risk_score":4.5,"exploitability":"0.5","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-cerg-yt1u-pua1"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/92494?format=json","vulnerability_id":"VCID-dx2z-h52j-myd8","summary":"Cross-site scripting (XSS) vulnerability in webapp/web/js/scripts/plugins.js in the stats page in the Admin UI in Apache Solr before 5.3.1 allows remote attackers to inject arbitrary web script or HTML via the entry parameter to a plugins/cache URI.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2015-8797","reference_id":"","reference_type":"","scores":[{"value":"0.02074","scoring_system":"epss","scoring_elements":"0.8427","published_at":"2026-06-04T12:55:00Z"},{"value":"0.02074","scoring_system":"epss","scoring_elements":"0.84293","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2015-8797"},{"reference_url":"https://issues.apache.org/jira/browse/SOLR-7949","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://issues.apache.org/jira/browse/SOLR-7949"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2015-8797","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2015-8797"},{"reference_url":"http://www-01.ibm.com/support/docview.wss?uid=swg21975544","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www-01.ibm.com/support/docview.wss?uid=swg21975544"},{"reference_url":"https://github.com/advisories/GHSA-v6gf-x8fp-532v","reference_id":"GHSA-v6gf-x8fp-532v","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-v6gf-x8fp-532v"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/115478?format=json","purl":"pkg:deb/debian/lucene-solr@0?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/lucene-solr@0%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/115476?format=json","purl":"pkg:deb/debian/lucene-solr@3.6.2%2Bdfsg-24?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/lucene-solr@3.6.2%252Bdfsg-24%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/115474?format=json","purl":"pkg:deb/debian/lucene-solr@3.6.2%2Bdfsg-26?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/lucene-solr@3.6.2%252Bdfsg-26%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/115477?format=json","purl":"pkg:deb/debian/lucene-solr@3.6.2%2Bdfsg-27?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/lucene-solr@3.6.2%252Bdfsg-27%3Fdistro=trixie"}],"aliases":["CVE-2015-8797","GHSA-v6gf-x8fp-532v"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-dx2z-h52j-myd8"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/51791?format=json","vulnerability_id":"VCID-em3u-s65w-ubbz","summary":"Solr is vulnerable to an XML resource consumption attack (a.k.a. Lol Bomb) via the update handler. By leveraging XML DOCTYPE and ENTITY type elements, the attacker can create a pattern that will expand when the server parses the XML causing OOMs.","references":[{"reference_url":"http://mail-archives.us.apache.org/mod_mbox/www-announce/201909.mbox/%3CCAECwjAXU4%3DkAo5DeUJw7Kvk67sgCmajAN7LGZQNjbjZ8gv%3DBdw%40mail.gmail.com%3E","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://mail-archives.us.apache.org/mod_mbox/www-announce/201909.mbox/%3CCAECwjAXU4%3DkAo5DeUJw7Kvk67sgCmajAN7LGZQNjbjZ8gv%3DBdw%40mail.gmail.com%3E"},{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2019-12401.json","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2019-12401.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2019-12401","reference_id":"","reference_type":"","scores":[{"value":"0.32768","scoring_system":"epss","scoring_elements":"0.96975","published_at":"2026-06-05T12:55:00Z"},{"value":"0.32768","scoring_system":"epss","scoring_elements":"0.96971","published_at":"2026-06-04T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2019-12401"},{"reference_url":"https://github.com/DrunkenShells/Disclosures/tree/master/CVE-2019-12401-XML%20Bomb-Apache%20Solr","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/DrunkenShells/Disclosures/tree/master/CVE-2019-12401-XML%20Bomb-Apache%20Solr"},{"reference_url":"https://issues.apache.org/jira/browse/SOLR-13750","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://issues.apache.org/jira/browse/SOLR-13750"},{"reference_url":"https://lists.apache.org/thread.html/048ae6e4f84a88e8856f766320b48ad91f9fca2c6f621aa2c40088fe@%3Cdev.lucene.apache.org%3E","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread.html/048ae6e4f84a88e8856f766320b48ad91f9fca2c6f621aa2c40088fe@%3Cdev.lucene.apache.org%3E"},{"reference_url":"https://lists.apache.org/thread.html/0ec231c5ed8d242890e21806d25fdd47f80cc47cac278d2fc1c9c579@%3Cdev.lucene.apache.org%3E","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread.html/0ec231c5ed8d242890e21806d25fdd47f80cc47cac278d2fc1c9c579@%3Cdev.lucene.apache.org%3E"},{"reference_url":"https://lists.apache.org/thread.html/1c92300643f48f13bc59b15e3f886ba62bae1798c7d4c2e5c1ece09b@%3Cannounce.apache.org%3E","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread.html/1c92300643f48f13bc59b15e3f886ba62bae1798c7d4c2e5c1ece09b@%3Cannounce.apache.org%3E"},{"reference_url":"https://lists.apache.org/thread.html/521d10a19bfb590f86dff41820ccfb11e92281f233a12c882650931e@%3Cdev.lucene.apache.org%3E","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread.html/521d10a19bfb590f86dff41820ccfb11e92281f233a12c882650931e@%3Cdev.lucene.apache.org%3E"},{"reference_url":"https://lists.apache.org/thread.html/60a924662ead9aeea74e8ea128d9ca935f8de925aa71b15ab2787d6a@%3Csolr-user.lucene.apache.org%3E","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread.html/60a924662ead9aeea74e8ea128d9ca935f8de925aa71b15ab2787d6a@%3Csolr-user.lucene.apache.org%3E"},{"reference_url":"https://lists.apache.org/thread.html/7ab5e95a1a0b4f35ffe53f1eb0cb74b4348b49d41b72ac155b843fa2@%3Cgeneral.lucene.apache.org%3E","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread.html/7ab5e95a1a0b4f35ffe53f1eb0cb74b4348b49d41b72ac155b843fa2@%3Cgeneral.lucene.apache.org%3E"},{"reference_url":"https://lists.apache.org/thread.html/db8eaca456d03c00a66cbe37548978318d424b9997e3fd7f5c65dffe@%3Cdev.lucene.apache.org%3E","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread.html/db8eaca456d03c00a66cbe37548978318d424b9997e3fd7f5c65dffe@%3Cdev.lucene.apache.org%3E"},{"reference_url":"https://security.netapp.com/advisory/ntap-20190926-0002","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://security.netapp.com/advisory/ntap-20190926-0002"},{"reference_url":"https://security.netapp.com/advisory/ntap-20190926-0002/","reference_id":"","reference_type":"","scores":[],"url":"https://security.netapp.com/advisory/ntap-20190926-0002/"},{"reference_url":"http://www.openwall.com/lists/oss-security/2019/09/10/1","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.openwall.com/lists/oss-security/2019/09/10/1"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=1789513","reference_id":"1789513","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=1789513"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2019-12401","reference_id":"CVE-2019-12401","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2019-12401"},{"reference_url":"https://github.com/advisories/GHSA-jq2w-w7v2-69q5","reference_id":"GHSA-jq2w-w7v2-69q5","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-jq2w-w7v2-69q5"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/115478?format=json","purl":"pkg:deb/debian/lucene-solr@0?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/lucene-solr@0%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/115476?format=json","purl":"pkg:deb/debian/lucene-solr@3.6.2%2Bdfsg-24?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/lucene-solr@3.6.2%252Bdfsg-24%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/115474?format=json","purl":"pkg:deb/debian/lucene-solr@3.6.2%2Bdfsg-26?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/lucene-solr@3.6.2%252Bdfsg-26%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/115477?format=json","purl":"pkg:deb/debian/lucene-solr@3.6.2%2Bdfsg-27?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/lucene-solr@3.6.2%252Bdfsg-27%3Fdistro=trixie"}],"aliases":["CVE-2019-12401","GHSA-jq2w-w7v2-69q5"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-em3u-s65w-ubbz"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/42308?format=json","vulnerability_id":"VCID-errt-tpnd-x7bm","summary":"Incorrect Authorization in Apache Solr\nIn Apache Solr, the cluster can be partitioned into multiple collections and only a subset of nodes actually host any given collection. However, if a node receives a request for a collection it does not host, it proxies the request to a relevant node and serves the request. Solr bypasses all authorization settings for such requests. This affects all Solr versions prior to 6.6.6 and 7.7 that use the default authorization mechanism of Solr (RuleBasedAuthorizationPlugin).","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2018-11802.json","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2018-11802.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2018-11802","reference_id":"","reference_type":"","scores":[{"value":"0.00151","scoring_system":"epss","scoring_elements":"0.35424","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00151","scoring_system":"epss","scoring_elements":"0.35328","published_at":"2026-06-04T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2018-11802"},{"reference_url":"https://github.com/apache/lucene-solr","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/lucene-solr"},{"reference_url":"https://github.com/apache/lucene-solr/commit/add003f217806afb4e1604f697cdb0a5a7115895","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/lucene-solr/commit/add003f217806afb4e1604f697cdb0a5a7115895"},{"reference_url":"https://issues.apache.org/jira/browse/SOLR-12514","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://issues.apache.org/jira/browse/SOLR-12514"},{"reference_url":"https://www.openwall.com/lists/oss-security/2019/04/24/1","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.openwall.com/lists/oss-security/2019/04/24/1"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=1707547","reference_id":"1707547","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=1707547"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2018-11802","reference_id":"CVE-2018-11802","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2018-11802"},{"reference_url":"https://github.com/advisories/GHSA-j346-h5wc-rw2m","reference_id":"GHSA-j346-h5wc-rw2m","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-j346-h5wc-rw2m"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/115478?format=json","purl":"pkg:deb/debian/lucene-solr@0?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/lucene-solr@0%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/115476?format=json","purl":"pkg:deb/debian/lucene-solr@3.6.2%2Bdfsg-24?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/lucene-solr@3.6.2%252Bdfsg-24%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/115474?format=json","purl":"pkg:deb/debian/lucene-solr@3.6.2%2Bdfsg-26?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/lucene-solr@3.6.2%252Bdfsg-26%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/115477?format=json","purl":"pkg:deb/debian/lucene-solr@3.6.2%2Bdfsg-27?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/lucene-solr@3.6.2%252Bdfsg-27%3Fdistro=trixie"}],"aliases":["CVE-2018-11802","GHSA-j346-h5wc-rw2m"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-errt-tpnd-x7bm"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/40806?format=json","vulnerability_id":"VCID-g95c-rfw6-kqgs","summary":"Deserialization of Untrusted Data\nIn Apache Solr versions, the Config API allows to configure the JMX server via an HTTP POST request. By pointing it to a malicious RMI server, an attacker could take advantage of Solr's unsafe deserialization to trigger remote code execution on the Solr side.","references":[{"reference_url":"http://mail-archives.us.apache.org/mod_mbox/www-announce/201903.mbox/%3CCAECwjAV1buZwg%2BMcV9EAQ19MeAWztPVJYD4zGK8kQdADFYij1w%40mail.gmail.com%3E","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://mail-archives.us.apache.org/mod_mbox/www-announce/201903.mbox/%3CCAECwjAV1buZwg%2BMcV9EAQ19MeAWztPVJYD4zGK8kQdADFYij1w%40mail.gmail.com%3E"},{"reference_url":"https://access.redhat.com/errata/RHSA-2019:2413","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://access.redhat.com/errata/RHSA-2019:2413"},{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2019-0192.json","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2019-0192.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2019-0192","reference_id":"","reference_type":"","scores":[{"value":"0.93545","scoring_system":"epss","scoring_elements":"0.99839","published_at":"2026-06-05T12:55:00Z"},{"value":"0.93545","scoring_system":"epss","scoring_elements":"0.99838","published_at":"2026-06-04T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2019-0192"},{"reference_url":"https://github.com/advisories/GHSA-xhcq-fv7x-grr2","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-xhcq-fv7x-grr2"},{"reference_url":"https://lists.apache.org/thread.html/42c5682f4acd1d03bd963e4f47ae448d7cff66c16b19142773818892@%3Cdev.lucene.apache.org%3E","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread.html/42c5682f4acd1d03bd963e4f47ae448d7cff66c16b19142773818892@%3Cdev.lucene.apache.org%3E"},{"reference_url":"https://lists.apache.org/thread.html/53e4744b14fb7f1810405f8ff5531ab0953a23dd09ce8071ce87e00d@%3Cdev.lucene.apache.org%3E","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread.html/53e4744b14fb7f1810405f8ff5531ab0953a23dd09ce8071ce87e00d@%3Cdev.lucene.apache.org%3E"},{"reference_url":"https://lists.apache.org/thread.html/b0ace855f569c6b7a0b03ba68566e53b1a1a519abd536bf38978ce4a@%3Cdev.lucene.apache.org%3E","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread.html/b0ace855f569c6b7a0b03ba68566e53b1a1a519abd536bf38978ce4a@%3Cdev.lucene.apache.org%3E"},{"reference_url":"https://lists.apache.org/thread.html/bcce5a9c532b386c68dab2f6b3ce8b0cc9b950ec551766e76391caa3@%3Ccommits.nifi.apache.org%3E","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread.html/bcce5a9c532b386c68dab2f6b3ce8b0cc9b950ec551766e76391caa3@%3Ccommits.nifi.apache.org%3E"},{"reference_url":"https://lists.apache.org/thread.html/d0e608c681dfbb16b4da68d99d43fa0ddbd366bb3bcf5bc0d43c56d7@%3Cdev.lucene.apache.org%3E","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread.html/d0e608c681dfbb16b4da68d99d43fa0ddbd366bb3bcf5bc0d43c56d7@%3Cdev.lucene.apache.org%3E"},{"reference_url":"https://lists.apache.org/thread.html/ec9c572fb803b26ba0318777977ee6d6a2fb3a2c50d9b4224e541d5d@%3Cdev.lucene.apache.org%3E","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread.html/ec9c572fb803b26ba0318777977ee6d6a2fb3a2c50d9b4224e541d5d@%3Cdev.lucene.apache.org%3E"},{"reference_url":"https://lists.apache.org/thread.html/rc400db37710ee79378b6c52de3640493ff538c2beb41cefdbbdf2ab8@%3Ccommits.submarine.apache.org%3E","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread.html/rc400db37710ee79378b6c52de3640493ff538c2beb41cefdbbdf2ab8@%3Ccommits.submarine.apache.org%3E"},{"reference_url":"https://lists.apache.org/thread.html/rca37935d661f4689cb4119f1b3b224413b22be161b678e6e6ce0c69b@%3Ccommits.nifi.apache.org%3E","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread.html/rca37935d661f4689cb4119f1b3b224413b22be161b678e6e6ce0c69b@%3Ccommits.nifi.apache.org%3E"},{"reference_url":"https://security.netapp.com/advisory/ntap-20190327-0003","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://security.netapp.com/advisory/ntap-20190327-0003"},{"reference_url":"https://security.netapp.com/advisory/ntap-20190327-0003/","reference_id":"","reference_type":"","scores":[],"url":"https://security.netapp.com/advisory/ntap-20190327-0003/"},{"reference_url":"https://www.oracle.com/security-alerts/cpuoct2020.html","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.oracle.com/security-alerts/cpuoct2020.html"},{"reference_url":"https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html"},{"reference_url":"http://www.securityfocus.com/bid/107318","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.securityfocus.com/bid/107318"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=1692345","reference_id":"1692345","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=1692345"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2019-0192","reference_id":"CVE-2019-0192","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2019-0192"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/115478?format=json","purl":"pkg:deb/debian/lucene-solr@0?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/lucene-solr@0%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/115476?format=json","purl":"pkg:deb/debian/lucene-solr@3.6.2%2Bdfsg-24?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/lucene-solr@3.6.2%252Bdfsg-24%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/115474?format=json","purl":"pkg:deb/debian/lucene-solr@3.6.2%2Bdfsg-26?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/lucene-solr@3.6.2%252Bdfsg-26%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/115477?format=json","purl":"pkg:deb/debian/lucene-solr@3.6.2%2Bdfsg-27?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/lucene-solr@3.6.2%252Bdfsg-27%3Fdistro=trixie"}],"aliases":["CVE-2019-0192","GHSA-xhcq-fv7x-grr2"],"risk_score":10.0,"exploitability":"2.0","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-g95c-rfw6-kqgs"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/38664?format=json","vulnerability_id":"VCID-hcng-56xk-tuar","summary":"Security Vulnerability in secure inter-node communication\nThis package uses a PKI based mechanism to secure inter-node communication when security is enabled. It is possible to create a specially crafted node name that does not exist as part of the cluster and point it to a malicious node. This can trick the nodes in cluster to believe that the malicious node is a member of the cluster. So, if Solr users have enabled BasicAuth authentication mechanism using the BasicAuthPlugin or if the user has implemented a custom Authentication plugin, which does not implement either `HttpClientInterceptorPlugin` or `HttpClientBuilderPlugin`, his/her servers are vulnerable to this attack. Users who only use SSL without basic authentication or those who use Kerberos are not affected.","references":[{"reference_url":"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7660","reference_id":"","reference_type":"","scores":[],"url":"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7660"},{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2017-7660.json","reference_id":"","reference_type":"","scores":[{"value":"7.4","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2017-7660.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2017-7660","reference_id":"","reference_type":"","scores":[{"value":"0.00335","scoring_system":"epss","scoring_elements":"0.5668","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00335","scoring_system":"epss","scoring_elements":"0.56628","published_at":"2026-06-04T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2017-7660"},{"reference_url":"https://github.com/apache/lucene-solr/commit/2f5ecbcf9ed7a3a4fd37b5c55860ad8eace1bea","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/apache/lucene-solr/commit/2f5ecbcf9ed7a3a4fd37b5c55860ad8eace1bea"},{"reference_url":"https://github.com/apache/lucene-solr/commit/9f91c619a35db89544f5c85795df4128c9f0d96","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/apache/lucene-solr/commit/9f91c619a35db89544f5c85795df4128c9f0d96"},{"reference_url":"https://github.com/apache/lucene-solr/commit/e3b0cfff396a7f92a4f621d598780116da916f3","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/apache/lucene-solr/commit/e3b0cfff396a7f92a4f621d598780116da916f3"},{"reference_url":"https://github.com/apache/lucene-solr/commit/e912b7cb5c68fbb87b874d41068cf5a3aea17da0","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/apache/lucene-solr/commit/e912b7cb5c68fbb87b874d41068cf5a3aea17da0"},{"reference_url":"https://issues.apache.org/jira/browse/SOLR-10624","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://issues.apache.org/jira/browse/SOLR-10624"},{"reference_url":"https://lists.apache.org/thread/o0g7vpz5sz4yy0pyf1z94vkpv40x6h44","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread/o0g7vpz5sz4yy0pyf1z94vkpv40x6h44"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2017-7660","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2017-7660"},{"reference_url":"https://security.netapp.com/advisory/ntap-20181127-0003","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://security.netapp.com/advisory/ntap-20181127-0003"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=1473273","reference_id":"1473273","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=1473273"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/115478?format=json","purl":"pkg:deb/debian/lucene-solr@0?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/lucene-solr@0%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/115476?format=json","purl":"pkg:deb/debian/lucene-solr@3.6.2%2Bdfsg-24?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/lucene-solr@3.6.2%252Bdfsg-24%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/115474?format=json","purl":"pkg:deb/debian/lucene-solr@3.6.2%2Bdfsg-26?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/lucene-solr@3.6.2%252Bdfsg-26%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/115477?format=json","purl":"pkg:deb/debian/lucene-solr@3.6.2%2Bdfsg-27?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/lucene-solr@3.6.2%252Bdfsg-27%3Fdistro=trixie"}],"aliases":["CVE-2017-7660","GHSA-c82r-qg3w-q5mv"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-hcng-56xk-tuar"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/56540?format=json","vulnerability_id":"VCID-k236-qjun-9qgu","summary":"Apache Solr Relative Path Traversal vulnerability\nRelative Path Traversal vulnerability in Apache Solr.\n\nSolr instances running on Windows are vulnerable to arbitrary filepath write-access, due to a lack of input-sanitation in the \"configset upload\" API.  Commonly known as a \"zipslip\", maliciously constructed ZIP files can use relative filepaths to write data to unanticipated parts of the filesystem.\nThis issue affects Apache Solr: from 6.6 through 9.7.0.\n\nUsers are recommended to upgrade to version 9.8.0, which fixes the issue.  Users unable to upgrade may also safely prevent the issue by using Solr's \"Rule-Based Authentication Plugin\" to restrict access to the configset upload API, so that it can only be accessed by a trusted set of administrators/users.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-52012","reference_id":"","reference_type":"","scores":[{"value":"0.13709","scoring_system":"epss","scoring_elements":"0.94405","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-52012"},{"reference_url":"https://github.com/apache/solr","reference_id":"","reference_type":"","scores":[{"value":"6.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/solr"},{"reference_url":"https://github.com/apache/solr/commit/5795edd143b8fcb2ffaf7f278a099b8678adf396","reference_id":"","reference_type":"","scores":[{"value":"6.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/solr/commit/5795edd143b8fcb2ffaf7f278a099b8678adf396"},{"reference_url":"https://issues.apache.org/jira/browse/SOLR-17543","reference_id":"","reference_type":"","scores":[{"value":"6.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://issues.apache.org/jira/browse/SOLR-17543"},{"reference_url":"https://lists.apache.org/thread/yp39pgbv4vf1746pf5yblz84lv30vfxd","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N"},{"value":"6.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-01-27T13:34:11Z/"}],"url":"https://lists.apache.org/thread/yp39pgbv4vf1746pf5yblz84lv30vfxd"},{"reference_url":"http://www.openwall.com/lists/oss-security/2025/01/26/2","reference_id":"","reference_type":"","scores":[{"value":"6.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.openwall.com/lists/oss-security/2025/01/26/2"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-52012","reference_id":"CVE-2024-52012","reference_type":"","scores":[{"value":"6.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-52012"},{"reference_url":"https://github.com/advisories/GHSA-4p5m-gvpf-f3x5","reference_id":"GHSA-4p5m-gvpf-f3x5","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-4p5m-gvpf-f3x5"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/115478?format=json","purl":"pkg:deb/debian/lucene-solr@0?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/lucene-solr@0%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/115476?format=json","purl":"pkg:deb/debian/lucene-solr@3.6.2%2Bdfsg-24?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/lucene-solr@3.6.2%252Bdfsg-24%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/115474?format=json","purl":"pkg:deb/debian/lucene-solr@3.6.2%2Bdfsg-26?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/lucene-solr@3.6.2%252Bdfsg-26%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/115477?format=json","purl":"pkg:deb/debian/lucene-solr@3.6.2%2Bdfsg-27?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/lucene-solr@3.6.2%252Bdfsg-27%3Fdistro=trixie"}],"aliases":["CVE-2024-52012","GHSA-4p5m-gvpf-f3x5"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-k236-qjun-9qgu"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/41929?format=json","vulnerability_id":"VCID-ugux-wu13-x3d7","summary":"Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')\nAn Improper Input Validation vulnerability in DataImportHandler of Apache Solr allows an attacker to provide a Windows UNC path resulting in an SMB network call being made from the Solr host to another host on the network. If the attacker has wider access to the network, this may lead to SMB attacks, which may result in: * The exfiltration of sensitive data such as OS user hashes (NTLM/LM hashes), * In case of misconfigured systems, SMB Relay Attacks which can lead to user impersonation on SMB Shares or, in a worse-case scenario, Remote Code Execution This issue affects all Apache Solr This issue only affects Windows.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-44548","reference_id":"","reference_type":"","scores":[{"value":"0.05017","scoring_system":"epss","scoring_elements":"0.899","published_at":"2026-06-04T12:55:00Z"},{"value":"0.05017","scoring_system":"epss","scoring_elements":"0.89916","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-44548"},{"reference_url":"https://github.com/apache/solr","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/solr"},{"reference_url":"https://security.netapp.com/advisory/ntap-20220114-0005","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://security.netapp.com/advisory/ntap-20220114-0005"},{"reference_url":"https://security.netapp.com/advisory/ntap-20220114-0005/","reference_id":"","reference_type":"","scores":[],"url":"https://security.netapp.com/advisory/ntap-20220114-0005/"},{"reference_url":"https://solr.apache.org/security.html#cve-2021-44548-apache-solr-information-disclosure-vulnerability-through-dataimporthandler","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://solr.apache.org/security.html#cve-2021-44548-apache-solr-information-disclosure-vulnerability-through-dataimporthandler"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2021-44548","reference_id":"CVE-2021-44548","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-44548"},{"reference_url":"https://github.com/advisories/GHSA-pccr-q7v9-5f27","reference_id":"GHSA-pccr-q7v9-5f27","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-pccr-q7v9-5f27"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/115478?format=json","purl":"pkg:deb/debian/lucene-solr@0?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/lucene-solr@0%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/115476?format=json","purl":"pkg:deb/debian/lucene-solr@3.6.2%2Bdfsg-24?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/lucene-solr@3.6.2%252Bdfsg-24%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/115474?format=json","purl":"pkg:deb/debian/lucene-solr@3.6.2%2Bdfsg-26?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/lucene-solr@3.6.2%252Bdfsg-26%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/115477?format=json","purl":"pkg:deb/debian/lucene-solr@3.6.2%2Bdfsg-27?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/lucene-solr@3.6.2%252Bdfsg-27%3Fdistro=trixie"}],"aliases":["CVE-2021-44548","GHSA-pccr-q7v9-5f27"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-ugux-wu13-x3d7"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/92495?format=json","vulnerability_id":"VCID-uz7d-q5jt-sygm","summary":"Hardcoded credentials in the Basic Authentication setup tool (bin/solr auth enable) in Apache Solr versions 9.4.0 through 9.10.1 and 10.0.0 allows a remote attacker to gain full administrative access to the cluster via publicly known default credentials installed silently alongside the user-specified account.   As an immediate workaround without upgrading, delete the template users (superadmin, admin, search, index) from security.json or change their passwords. The future, not yet released, versions 9.11.0 and 10.1.0 will not be vulnerable, and it will be enough to upgrade to solve the issue.  Not affected:   *  Clusters where bin/solr auth enable was not used to bootstrap BasicAuth   *  Clusters where template users have been assigned strong passwords after bootstrap","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-44825","reference_id":"","reference_type":"","scores":[{"value":"0.00395","scoring_system":"epss","scoring_elements":"0.60747","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-44825"},{"reference_url":"https://lists.apache.org/thread/5xg6xr99glocp3zsg9ht2zlbwlrst7ch","reference_id":"5xg6xr99glocp3zsg9ht2zlbwlrst7ch","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-06-01T12:46:21Z/"}],"url":"https://lists.apache.org/thread/5xg6xr99glocp3zsg9ht2zlbwlrst7ch"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/115478?format=json","purl":"pkg:deb/debian/lucene-solr@0?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/lucene-solr@0%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/115476?format=json","purl":"pkg:deb/debian/lucene-solr@3.6.2%2Bdfsg-24?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/lucene-solr@3.6.2%252Bdfsg-24%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/115474?format=json","purl":"pkg:deb/debian/lucene-solr@3.6.2%2Bdfsg-26?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/lucene-solr@3.6.2%252Bdfsg-26%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/115477?format=json","purl":"pkg:deb/debian/lucene-solr@3.6.2%2Bdfsg-27?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/lucene-solr@3.6.2%252Bdfsg-27%3Fdistro=trixie"}],"aliases":["CVE-2026-44825"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-uz7d-q5jt-sygm"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/39639?format=json","vulnerability_id":"VCID-w2ku-uvwz-4bhx","summary":"Improper Restriction of XML External Entity Reference\nThis vulnerability in Apache Solr relates to an XML external entity expansion (XXE) in Solr config files.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2018-8010.json","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2018-8010.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2018-8010","reference_id":"","reference_type":"","scores":[{"value":"0.01708","scoring_system":"epss","scoring_elements":"0.82691","published_at":"2026-06-05T12:55:00Z"},{"value":"0.01708","scoring_system":"epss","scoring_elements":"0.82664","published_at":"2026-06-04T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2018-8010"},{"reference_url":"https://github.com/advisories/GHSA-rc9v-h28f-jcmf","reference_id":"","reference_type":"","scores":[{"value":"5.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-rc9v-h28f-jcmf"},{"reference_url":"https://github.com/apache/lucene-solr/commit/1b760114216fcdfae138a8b37f183a9293c4911","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/apache/lucene-solr/commit/1b760114216fcdfae138a8b37f183a9293c4911"},{"reference_url":"https://github.com/apache/lucene-solr/commit/4ba409e0ff3dc38aad88f7b7ad69a76325272b8","reference_id":"","reference_type":"","scores":[{"value":"5.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/lucene-solr/commit/4ba409e0ff3dc38aad88f7b7ad69a76325272b8"},{"reference_url":"https://github.com/apache/lucene-solr/commit/6c4e45e28494d4d4d04fb89852d18c86fa3d5f8","reference_id":"","reference_type":"","scores":[{"value":"5.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/lucene-solr/commit/6c4e45e28494d4d4d04fb89852d18c86fa3d5f8"},{"reference_url":"https://github.com/apache/lucene-solr/commit/6d082d5743dee7e08a86b3f2ef03bc025112512","reference_id":"","reference_type":"","scores":[{"value":"5.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/lucene-solr/commit/6d082d5743dee7e08a86b3f2ef03bc025112512"},{"reference_url":"https://github.com/apache/lucene-solr/commit/96f079b4b47eaadff65c7aaf0e5bafe68e30ec3","reference_id":"","reference_type":"","scores":[{"value":"5.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/lucene-solr/commit/96f079b4b47eaadff65c7aaf0e5bafe68e30ec3"},{"reference_url":"https://issues.apache.org/jira/browse/SOLR-12316","reference_id":"","reference_type":"","scores":[{"value":"5.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://issues.apache.org/jira/browse/SOLR-12316"},{"reference_url":"https://lists.apache.org/thread.html/r204ba2a9ea750f38d789d2bb429cc0925ad6133deea7cbc3001d96b5@%3Csolr-user.lucene.apache.org%3E","reference_id":"","reference_type":"","scores":[{"value":"5.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread.html/r204ba2a9ea750f38d789d2bb429cc0925ad6133deea7cbc3001d96b5@%3Csolr-user.lucene.apache.org%3E"},{"reference_url":"https://mail-archives.apache.org/mod_mbox/www-announce/201805.mbox/%3C08a801d3f0f9%24df46d300%249dd47900%24%40apache.org%3E","reference_id":"","reference_type":"","scores":[{"value":"5.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://mail-archives.apache.org/mod_mbox/www-announce/201805.mbox/%3C08a801d3f0f9%24df46d300%249dd47900%24%40apache.org%3E"},{"reference_url":"http://www.securityfocus.com/bid/104239","reference_id":"","reference_type":"","scores":[{"value":"5.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.securityfocus.com/bid/104239"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=1581037","reference_id":"1581037","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=1581037"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2018-8010","reference_id":"CVE-2018-8010","reference_type":"","scores":[{"value":"5.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2018-8010"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/115478?format=json","purl":"pkg:deb/debian/lucene-solr@0?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/lucene-solr@0%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/115476?format=json","purl":"pkg:deb/debian/lucene-solr@3.6.2%2Bdfsg-24?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/lucene-solr@3.6.2%252Bdfsg-24%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/115474?format=json","purl":"pkg:deb/debian/lucene-solr@3.6.2%2Bdfsg-26?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/lucene-solr@3.6.2%252Bdfsg-26%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/115477?format=json","purl":"pkg:deb/debian/lucene-solr@3.6.2%2Bdfsg-27?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/lucene-solr@3.6.2%252Bdfsg-27%3Fdistro=trixie"}],"aliases":["CVE-2018-8010","GHSA-rc9v-h28f-jcmf"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-w2ku-uvwz-4bhx"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/49796?format=json","vulnerability_id":"VCID-ymkf-c5sn-f3fw","summary":"Apache Solr: Unauthorized bypass of certain \"predefined permission\" rules in the RuleBasedAuthorizationPlugin\nDeployments of Apache Solr 5.3.0 through 9.10.0 that rely on Solr's \"Rule Based Authorization Plugin\" are vulnerable to allowing unauthorized access to certain Solr APIs, due to insufficiently strict input validation in those components.  Only deployments that meet all of the following criteria are impacted by this vulnerability:\n\n*  Use of Solr's \"RuleBasedAuthorizationPlugin\"\n*  A RuleBasedAuthorizationPlugin config (see security.json) that specifies multiple \"roles\"\n*  A RuleBasedAuthorizationPlugin permission list (see security.json) that uses one or more of the following pre-defined permission rules: \"config-read\", \"config-edit\", \"schema-read\", \"metrics-read\", or \"security-read\".\n*  A RuleBasedAuthorizationPlugin permission list that doesn't define the \"all\" pre-defined permission\n*  A networking setup that allows clients to make unfiltered network requests to Solr. (i.e. user-submitted HTTP/HTTPS requests reach Solr as-is, unmodified or restricted by any intervening proxy or gateway)\n\nUsers can mitigate this vulnerability by ensuring that their RuleBasedAuthorizationPlugin configuration specifies the \"all\" pre-defined permission and associates the permission with an \"admin\" or other privileged role.  Users can also upgrade to a Solr version outside of the impacted range, such as the recently released Solr 9.10.1.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-22022.json","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-22022.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-22022","reference_id":"","reference_type":"","scores":[{"value":"0.00236","scoring_system":"epss","scoring_elements":"0.46783","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-22022"},{"reference_url":"https://github.com/apache/solr","reference_id":"","reference_type":"","scores":[{"value":"8.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/solr"},{"reference_url":"https://github.com/apache/solr/commit/c135e6335c7158fa26e96b0dc386f825255b47c0","reference_id":"","reference_type":"","scores":[{"value":"8.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/solr/commit/c135e6335c7158fa26e96b0dc386f825255b47c0"},{"reference_url":"https://issues.apache.org/jira/browse/SOLR-18054","reference_id":"","reference_type":"","scores":[{"value":"8.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://issues.apache.org/jira/browse/SOLR-18054"},{"reference_url":"https://lists.apache.org/thread/d59hqbgo7p62myq7mgfpz7or8n1j7wbn","reference_id":"","reference_type":"","scores":[{"value":"8.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-01-21T15:34:12Z/"}],"url":"https://lists.apache.org/thread/d59hqbgo7p62myq7mgfpz7or8n1j7wbn"},{"reference_url":"http://www.openwall.com/lists/oss-security/2026/01/20/4","reference_id":"","reference_type":"","scores":[{"value":"8.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.openwall.com/lists/oss-security/2026/01/20/4"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2431603","reference_id":"2431603","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2431603"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-22022","reference_id":"CVE-2026-22022","reference_type":"","scores":[{"value":"8.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-22022"},{"reference_url":"https://github.com/advisories/GHSA-qr3p-2xj2-q7hq","reference_id":"GHSA-qr3p-2xj2-q7hq","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-qr3p-2xj2-q7hq"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/115478?format=json","purl":"pkg:deb/debian/lucene-solr@0?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/lucene-solr@0%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/115476?format=json","purl":"pkg:deb/debian/lucene-solr@3.6.2%2Bdfsg-24?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/lucene-solr@3.6.2%252Bdfsg-24%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/115474?format=json","purl":"pkg:deb/debian/lucene-solr@3.6.2%2Bdfsg-26?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/lucene-solr@3.6.2%252Bdfsg-26%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/115477?format=json","purl":"pkg:deb/debian/lucene-solr@3.6.2%2Bdfsg-27?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/lucene-solr@3.6.2%252Bdfsg-27%3Fdistro=trixie"}],"aliases":["CVE-2026-22022","GHSA-qr3p-2xj2-q7hq"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-ymkf-c5sn-f3fw"}],"risk_score":null,"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/lucene-solr@0%3Fdistro=trixie"}