Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-ke61-vddr-4udk
Vulnerability ID VCID-ke61-vddr-4udk
Aliases CVE-2017-3163
GHSA-387v-84cv-9qmc
Summary When using the Index Replication feature, Apache Solr nodes can pull index files from a master/leader node using an HTTP API which accepts a file name. However, Solr before 5.5.4 and 6.x before 6.4.1 did not validate the file name, hence it was possible to craft a special request involving path traversal, leaving any file readable to the Solr server process exposed. Solr servers protected and restricted by firewall rules and/or authentication would not be at risk since only trusted clients and users would gain direct HTTP access.
Status Published
Exploitability 0.5
Weighted Severity 8.0
Risk 4.0
Affected and Fixed Packages Package Details
Weaknesses (3)
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
cvssv3.1 7.5 https://access.redhat.com/errata/RHSA-2018:1447
generic_textual HIGH https://access.redhat.com/errata/RHSA-2018:1447
cvssv3.1 7.5 https://access.redhat.com/errata/RHSA-2018:1448
generic_textual HIGH https://access.redhat.com/errata/RHSA-2018:1448
cvssv3.1 7.5 https://access.redhat.com/errata/RHSA-2018:1449
generic_textual HIGH https://access.redhat.com/errata/RHSA-2018:1449
cvssv3.1 7.5 https://access.redhat.com/errata/RHSA-2018:1450
generic_textual HIGH https://access.redhat.com/errata/RHSA-2018:1450
cvssv3.1 7.5 https://access.redhat.com/errata/RHSA-2018:1451
generic_textual HIGH https://access.redhat.com/errata/RHSA-2018:1451
cvssv3 5.9 https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2017-3163.json
epss 0.16448 https://api.first.org/data/v1/epss?cve=CVE-2017-3163
epss 0.16448 https://api.first.org/data/v1/epss?cve=CVE-2017-3163
epss 0.16448 https://api.first.org/data/v1/epss?cve=CVE-2017-3163
epss 0.16448 https://api.first.org/data/v1/epss?cve=CVE-2017-3163
epss 0.16448 https://api.first.org/data/v1/epss?cve=CVE-2017-3163
epss 0.16448 https://api.first.org/data/v1/epss?cve=CVE-2017-3163
epss 0.16448 https://api.first.org/data/v1/epss?cve=CVE-2017-3163
epss 0.16448 https://api.first.org/data/v1/epss?cve=CVE-2017-3163
epss 0.16448 https://api.first.org/data/v1/epss?cve=CVE-2017-3163
epss 0.16448 https://api.first.org/data/v1/epss?cve=CVE-2017-3163
cvssv3.1 7.5 https://github.com/advisories/GHSA-387v-84cv-9qmc
cvssv3.1_qr HIGH https://github.com/advisories/GHSA-387v-84cv-9qmc
generic_textual HIGH https://github.com/advisories/GHSA-387v-84cv-9qmc
cvssv3.1 7.5 https://lists.apache.org/thread.html/a6a33a186f293f9f9aecf3bd39c76252bfc49a79de4321dd2a53b488@%3Csolr-user.lucene.apache.org%3E
generic_textual HIGH https://lists.apache.org/thread.html/a6a33a186f293f9f9aecf3bd39c76252bfc49a79de4321dd2a53b488@%3Csolr-user.lucene.apache.org%3E
cvssv3.1 7.5 https://nvd.nist.gov/vuln/detail/CVE-2017-3163
generic_textual HIGH https://nvd.nist.gov/vuln/detail/CVE-2017-3163
cvssv3.1 7.5 https://www.debian.org/security/2018/dsa-4124
generic_textual HIGH https://www.debian.org/security/2018/dsa-4124
Reference id Reference type URL
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3163
https://access.redhat.com/errata/RHSA-2018:1447
https://access.redhat.com/errata/RHSA-2018:1448
https://access.redhat.com/errata/RHSA-2018:1449
https://access.redhat.com/errata/RHSA-2018:1450
https://access.redhat.com/errata/RHSA-2018:1451
https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2017-3163.json
https://api.first.org/data/v1/epss?cve=CVE-2017-3163
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12629
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3163
https://github.com/advisories/GHSA-387v-84cv-9qmc
https://github.com/apache/lucene-solr/commit/3a4f885b18bc963a8326c752bd229497908f1db
https://github.com/apache/lucene-solr/commit/6f598d24692a89da9b5b671be6cf4b947aa39266
https://github.com/apache/lucene-solr/commit/7088137d52256354a52ed86547b9faa0e704293
https://github.com/apache/lucene-solr/commit/ae789c252687dc8a18bfdb677f2e6cd14570e4d
https://issues.apache.org/jira/browse/SOLR-10031
https://lists.apache.org/thread.html/a6a33a186f293f9f9aecf3bd39c76252bfc49a79de4321dd2a53b488@%3Csolr-user.lucene.apache.org%3E
https://www.debian.org/security/2018/dsa-4124
1454783 https://bugzilla.redhat.com/show_bug.cgi?id=1454783
867712 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=867712
CVE-2017-3163 https://nvd.nist.gov/vuln/detail/CVE-2017-3163
No exploits are available.
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Found at https://access.redhat.com/errata/RHSA-2018:1447
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Found at https://access.redhat.com/errata/RHSA-2018:1448
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Found at https://access.redhat.com/errata/RHSA-2018:1449
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Found at https://access.redhat.com/errata/RHSA-2018:1450
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Found at https://access.redhat.com/errata/RHSA-2018:1451
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2017-3163.json
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Found at https://github.com/advisories/GHSA-387v-84cv-9qmc
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Found at https://lists.apache.org/thread.html/a6a33a186f293f9f9aecf3bd39c76252bfc49a79de4321dd2a53b488@%3Csolr-user.lucene.apache.org%3E
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2017-3163
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Found at https://www.debian.org/security/2018/dsa-4124
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.9485
EPSS Score 0.16448
Published At April 1, 2026, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2026-04-01T12:38:18.318191+00:00 ProjectKB MSRImporter Import https://raw.githubusercontent.com/SAP/project-kb/master/MSR2019/dataset/vulas_db_msr2019_release.csv 38.0.0