Apache Solr: Authentication bypass possible using a fake URL Path ending

Improper Authentication vulnerability in Apache Solr. Solr instances using the PKIAuthenticationPlugin, which is enabled by default when Solr Authentication is used, are vulnerable to Authentication bypass. A fake ending at the end of any Solr API URL path, will allow requests to skip Authentication while maintaining the API contract with the original URL Path. This fake ending looks like an unprotected API path, however it is stripped off internally after authentication but before API routing. This issue affects Apache Solr: from 5.3.0 before 8.11.4, from 9.0.0 before 9.7.0. Users are recommended to upgrade to version 9.7.0, or 8.11.4, which fix the issue.

N/A

认证机制不恰当

Apache Solr 安全漏洞

Apache Solr是美国阿帕奇（Apache）基金会的一款基于Lucene（一款全文搜索引擎）的搜索服务器。该产品支持层面搜索、垂直搜索、高亮显示搜索结果等。 Apache Solr 5.3.0至8.11.4之前版本和9.0.0至9.7.0之前版本存在安全漏洞，该漏洞源于存在身份验证不当漏洞，从而可使用虚假URL路径结尾绕过身份验证。

N/A

N/A