N/A

When using the Index Replication feature, Apache Solr nodes can pull index files from a master/leader node using an HTTP API which accepts a file name. However, Solr before 5.5.4 and 6.x before 6.4.1 did not validate the file name, hence it was possible to craft a special request involving path traversal, leaving any file readable to the Solr server process exposed. Solr servers protected and restricted by firewall rules and/or authentication would not be at risk since only trusted clients and users would gain direct HTTP access.

N/A

N/A

Apache Solr 安全漏洞

Apache Solr是美国阿帕奇（Apache）软件基金会的一款基于Lucene（一个全文检索引擎的架构）的搜索服务器，它支持层面搜索、垂直搜索、高亮显示搜索结果、多种输出格式等。 Apache Solr 5.5.4之前的版本和6.4.1之前的6.x版本中存在安全漏洞。攻击者可通过构建请求利用该漏洞获取文件。

N/A

N/A