Search for vulnerabilities
Vulnerability details: VCID-2bhr-9hej-aaas
Vulnerability ID VCID-2bhr-9hej-aaas
Aliases CVE-2017-7660
GHSA-c82r-qg3w-q5mv
Summary Security Vulnerability in secure inter-node communication This package uses a PKI based mechanism to secure inter-node communication when security is enabled. It is possible to create a specially crafted node name that does not exist as part of the cluster and point it to a malicious node. This can trick the nodes in cluster to believe that the malicious node is a member of the cluster. So, if Solr users have enabled BasicAuth authentication mechanism using the BasicAuthPlugin or if the user has implemented a custom Authentication plugin, which does not implement either `HttpClientInterceptorPlugin` or `HttpClientBuilderPlugin`, his/her servers are vulnerable to this attack. Users who only use SSL without basic authentication or those who use Kerberos are not affected.
Status Published
Exploitability 0.5
Weighted Severity 8.0
Risk 4.0
Affected and Fixed Packages Package Details
Weaknesses (3)
CWE-287 Improper Authentication
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
cvssv3 7.4 https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2017-7660.json
epss 0.00262 https://api.first.org/data/v1/epss?cve=CVE-2017-7660
epss 0.00262 https://api.first.org/data/v1/epss?cve=CVE-2017-7660
epss 0.00262 https://api.first.org/data/v1/epss?cve=CVE-2017-7660
epss 0.00262 https://api.first.org/data/v1/epss?cve=CVE-2017-7660
epss 0.00283 https://api.first.org/data/v1/epss?cve=CVE-2017-7660
epss 0.00283 https://api.first.org/data/v1/epss?cve=CVE-2017-7660
epss 0.00283 https://api.first.org/data/v1/epss?cve=CVE-2017-7660
epss 0.00283 https://api.first.org/data/v1/epss?cve=CVE-2017-7660
epss 0.00283 https://api.first.org/data/v1/epss?cve=CVE-2017-7660
epss 0.00283 https://api.first.org/data/v1/epss?cve=CVE-2017-7660
epss 0.00283 https://api.first.org/data/v1/epss?cve=CVE-2017-7660
epss 0.00283 https://api.first.org/data/v1/epss?cve=CVE-2017-7660
epss 0.00283 https://api.first.org/data/v1/epss?cve=CVE-2017-7660
epss 0.00283 https://api.first.org/data/v1/epss?cve=CVE-2017-7660
epss 0.00283 https://api.first.org/data/v1/epss?cve=CVE-2017-7660
epss 0.00283 https://api.first.org/data/v1/epss?cve=CVE-2017-7660
epss 0.00455 https://api.first.org/data/v1/epss?cve=CVE-2017-7660
epss 0.00455 https://api.first.org/data/v1/epss?cve=CVE-2017-7660
epss 0.00455 https://api.first.org/data/v1/epss?cve=CVE-2017-7660
epss 0.00455 https://api.first.org/data/v1/epss?cve=CVE-2017-7660
epss 0.00934 https://api.first.org/data/v1/epss?cve=CVE-2017-7660
epss 0.00934 https://api.first.org/data/v1/epss?cve=CVE-2017-7660
epss 0.00934 https://api.first.org/data/v1/epss?cve=CVE-2017-7660
epss 0.00934 https://api.first.org/data/v1/epss?cve=CVE-2017-7660
epss 0.00934 https://api.first.org/data/v1/epss?cve=CVE-2017-7660
epss 0.00934 https://api.first.org/data/v1/epss?cve=CVE-2017-7660
epss 0.00934 https://api.first.org/data/v1/epss?cve=CVE-2017-7660
epss 0.00934 https://api.first.org/data/v1/epss?cve=CVE-2017-7660
epss 0.00934 https://api.first.org/data/v1/epss?cve=CVE-2017-7660
epss 0.00934 https://api.first.org/data/v1/epss?cve=CVE-2017-7660
epss 0.00934 https://api.first.org/data/v1/epss?cve=CVE-2017-7660
epss 0.00934 https://api.first.org/data/v1/epss?cve=CVE-2017-7660
epss 0.00934 https://api.first.org/data/v1/epss?cve=CVE-2017-7660
epss 0.00934 https://api.first.org/data/v1/epss?cve=CVE-2017-7660
epss 0.00934 https://api.first.org/data/v1/epss?cve=CVE-2017-7660
epss 0.00934 https://api.first.org/data/v1/epss?cve=CVE-2017-7660
epss 0.00934 https://api.first.org/data/v1/epss?cve=CVE-2017-7660
epss 0.00934 https://api.first.org/data/v1/epss?cve=CVE-2017-7660
epss 0.00934 https://api.first.org/data/v1/epss?cve=CVE-2017-7660
epss 0.00934 https://api.first.org/data/v1/epss?cve=CVE-2017-7660
epss 0.00934 https://api.first.org/data/v1/epss?cve=CVE-2017-7660
epss 0.00934 https://api.first.org/data/v1/epss?cve=CVE-2017-7660
epss 0.00934 https://api.first.org/data/v1/epss?cve=CVE-2017-7660
epss 0.00934 https://api.first.org/data/v1/epss?cve=CVE-2017-7660
epss 0.00934 https://api.first.org/data/v1/epss?cve=CVE-2017-7660
epss 0.00934 https://api.first.org/data/v1/epss?cve=CVE-2017-7660
epss 0.00934 https://api.first.org/data/v1/epss?cve=CVE-2017-7660
epss 0.00934 https://api.first.org/data/v1/epss?cve=CVE-2017-7660
epss 0.00934 https://api.first.org/data/v1/epss?cve=CVE-2017-7660
epss 0.00934 https://api.first.org/data/v1/epss?cve=CVE-2017-7660
epss 0.00934 https://api.first.org/data/v1/epss?cve=CVE-2017-7660
epss 0.00934 https://api.first.org/data/v1/epss?cve=CVE-2017-7660
epss 0.00934 https://api.first.org/data/v1/epss?cve=CVE-2017-7660
epss 0.00934 https://api.first.org/data/v1/epss?cve=CVE-2017-7660
epss 0.01265 https://api.first.org/data/v1/epss?cve=CVE-2017-7660
epss 0.01265 https://api.first.org/data/v1/epss?cve=CVE-2017-7660
epss 0.01265 https://api.first.org/data/v1/epss?cve=CVE-2017-7660
epss 0.01265 https://api.first.org/data/v1/epss?cve=CVE-2017-7660
epss 0.01265 https://api.first.org/data/v1/epss?cve=CVE-2017-7660
epss 0.01265 https://api.first.org/data/v1/epss?cve=CVE-2017-7660
epss 0.01265 https://api.first.org/data/v1/epss?cve=CVE-2017-7660
epss 0.01265 https://api.first.org/data/v1/epss?cve=CVE-2017-7660
epss 0.01265 https://api.first.org/data/v1/epss?cve=CVE-2017-7660
epss 0.01265 https://api.first.org/data/v1/epss?cve=CVE-2017-7660
epss 0.01265 https://api.first.org/data/v1/epss?cve=CVE-2017-7660
epss 0.01265 https://api.first.org/data/v1/epss?cve=CVE-2017-7660
epss 0.01265 https://api.first.org/data/v1/epss?cve=CVE-2017-7660
epss 0.01265 https://api.first.org/data/v1/epss?cve=CVE-2017-7660
epss 0.01265 https://api.first.org/data/v1/epss?cve=CVE-2017-7660
epss 0.01265 https://api.first.org/data/v1/epss?cve=CVE-2017-7660
epss 0.01265 https://api.first.org/data/v1/epss?cve=CVE-2017-7660
epss 0.01265 https://api.first.org/data/v1/epss?cve=CVE-2017-7660
epss 0.01265 https://api.first.org/data/v1/epss?cve=CVE-2017-7660
epss 0.01265 https://api.first.org/data/v1/epss?cve=CVE-2017-7660
epss 0.01265 https://api.first.org/data/v1/epss?cve=CVE-2017-7660
epss 0.01265 https://api.first.org/data/v1/epss?cve=CVE-2017-7660
epss 0.01265 https://api.first.org/data/v1/epss?cve=CVE-2017-7660
epss 0.01265 https://api.first.org/data/v1/epss?cve=CVE-2017-7660
epss 0.01265 https://api.first.org/data/v1/epss?cve=CVE-2017-7660
epss 0.01265 https://api.first.org/data/v1/epss?cve=CVE-2017-7660
epss 0.01265 https://api.first.org/data/v1/epss?cve=CVE-2017-7660
epss 0.01265 https://api.first.org/data/v1/epss?cve=CVE-2017-7660
epss 0.01265 https://api.first.org/data/v1/epss?cve=CVE-2017-7660
epss 0.01265 https://api.first.org/data/v1/epss?cve=CVE-2017-7660
epss 0.01265 https://api.first.org/data/v1/epss?cve=CVE-2017-7660
epss 0.01265 https://api.first.org/data/v1/epss?cve=CVE-2017-7660
epss 0.04326 https://api.first.org/data/v1/epss?cve=CVE-2017-7660
rhbs medium https://bugzilla.redhat.com/show_bug.cgi?id=1473273
cvssv3.1_qr HIGH https://github.com/advisories/GHSA-c82r-qg3w-q5mv
cvssv3.1 7.5 https://issues.apache.org/jira/browse/SOLR-10624
generic_textual HIGH https://issues.apache.org/jira/browse/SOLR-10624
cvssv3.1 7.5 https://lists.apache.org/thread/o0g7vpz5sz4yy0pyf1z94vkpv40x6h44
generic_textual HIGH https://lists.apache.org/thread/o0g7vpz5sz4yy0pyf1z94vkpv40x6h44
cvssv2 5.0 https://nvd.nist.gov/vuln/detail/CVE-2017-7660
cvssv3 7.5 https://nvd.nist.gov/vuln/detail/CVE-2017-7660
cvssv3.1 7.5 https://security.netapp.com/advisory/ntap-20181127-0003
generic_textual HIGH https://security.netapp.com/advisory/ntap-20181127-0003
Reference id Reference type URL
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7660
http://mail-archives.us.apache.org/mod_mbox/www-announce/201707.mbox/%3CCAOOKt53EgrybaD%2BiSn-nBbvFdse-szhg%3DhMoDZuvUvyMme-Z%3Dg%40mail.gmail.com%3E
https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2017-7660.json
https://api.first.org/data/v1/epss?cve=CVE-2017-7660
https://github.com/apache/lucene-solr/commit/2f5ecbcf9ed7a3a4fd37b5c55860ad8eace1bea
https://github.com/apache/lucene-solr/commit/9f91c619a35db89544f5c85795df4128c9f0d96
https://github.com/apache/lucene-solr/commit/e3b0cfff396a7f92a4f621d598780116da916f3
https://github.com/apache/lucene-solr/commit/e912b7cb5c68fbb87b874d41068cf5a3aea17da0
https://issues.apache.org/jira/browse/SOLR-10624
https://lists.apache.org/thread/o0g7vpz5sz4yy0pyf1z94vkpv40x6h44
https://security.netapp.com/advisory/ntap-20181127-0003
https://security.netapp.com/advisory/ntap-20181127-0003/
http://www.securityfocus.com/bid/99485
1473273 https://bugzilla.redhat.com/show_bug.cgi?id=1473273
cpe:2.3:a:apache:solr:5.3.0:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:solr:5.3.0:*:*:*:*:*:*:*
cpe:2.3:a:apache:solr:5.3.1:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:solr:5.3.1:*:*:*:*:*:*:*
cpe:2.3:a:apache:solr:5.3.2:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:solr:5.3.2:*:*:*:*:*:*:*
cpe:2.3:a:apache:solr:5.4.0:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:solr:5.4.0:*:*:*:*:*:*:*
cpe:2.3:a:apache:solr:5.4.1:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:solr:5.4.1:*:*:*:*:*:*:*
cpe:2.3:a:apache:solr:5.5.0:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:solr:5.5.0:*:*:*:*:*:*:*
cpe:2.3:a:apache:solr:5.5.1:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:solr:5.5.1:*:*:*:*:*:*:*
cpe:2.3:a:apache:solr:5.5.2:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:solr:5.5.2:*:*:*:*:*:*:*
cpe:2.3:a:apache:solr:5.5.3:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:solr:5.5.3:*:*:*:*:*:*:*
cpe:2.3:a:apache:solr:5.5.4:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:solr:5.5.4:*:*:*:*:*:*:*
cpe:2.3:a:apache:solr:6.0.0:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:solr:6.0.0:*:*:*:*:*:*:*
cpe:2.3:a:apache:solr:6.0.1:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:solr:6.0.1:*:*:*:*:*:*:*
cpe:2.3:a:apache:solr:6.1.0:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:solr:6.1.0:*:*:*:*:*:*:*
cpe:2.3:a:apache:solr:6.2.0:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:solr:6.2.0:*:*:*:*:*:*:*
cpe:2.3:a:apache:solr:6.2.1:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:solr:6.2.1:*:*:*:*:*:*:*
cpe:2.3:a:apache:solr:6.3.0:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:solr:6.3.0:*:*:*:*:*:*:*
cpe:2.3:a:apache:solr:6.4.0:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:solr:6.4.0:*:*:*:*:*:*:*
cpe:2.3:a:apache:solr:6.4.1:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:solr:6.4.1:*:*:*:*:*:*:*
cpe:2.3:a:apache:solr:6.4.2:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:solr:6.4.2:*:*:*:*:*:*:*
cpe:2.3:a:apache:solr:6.5.0:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:solr:6.5.0:*:*:*:*:*:*:*
cpe:2.3:a:apache:solr:6.5.1:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:solr:6.5.1:*:*:*:*:*:*:*
CVE-2017-7660 https://nvd.nist.gov/vuln/detail/CVE-2017-7660
GHSA-c82r-qg3w-q5mv https://github.com/advisories/GHSA-c82r-qg3w-q5mv
No exploits are available.
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2017-7660.json
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N Found at https://issues.apache.org/jira/browse/SOLR-10624
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N Found at https://lists.apache.org/thread/o0g7vpz5sz4yy0pyf1z94vkpv40x6h44
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: AV:N/AC:L/Au:N/C:N/I:P/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2017-7660
Exploitability (E) Access Vector (AV) Access Complexity (AC) Authentication (Au) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

high

functional

unproven

proof_of_concept

not_defined

local

adjacent_network

network

high

medium

low

multiple

single

none

none

partial

complete

none

partial

complete

none

partial

complete
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2017-7660
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N Found at https://security.netapp.com/advisory/ntap-20181127-0003
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.65016
EPSS Score 0.00262
Published At Dec. 17, 2024, midnight
Date Actor Action Source VulnerableCode Version
There are no relevant records.