solr · threatengine.sh

CVE-2026-22444

>= 8.6.0 and < 9.10.1

The "create core" API of Apache Solr 8.6 through 9.10.0 lacks sufficient input validation on some API parameters, which can cause

7.1HIGH

CVE-2026-22022

>= 5.3.0 and < 9.10.1

Deployments of Apache Solr 5.3.0 through 9.10.0 that rely on Solr's "Rule Based Authorization Plugin" are vulnerable to allowing u

8.2HIGH

CVE-2025-24814

< 9.8.0

Core creation allows users to replace "trusted" configset files with arbitrary configuration Solr instances that (1) use the "Fil

5.5MEDIUM

CVE-2024-52012

>= 6.6.0 and < 9.8.0

Relative Path Traversal vulnerability in Apache Solr. Solr instances running on Windows are vulnerable to arbitrary filepath writ

5.4MEDIUM

CVE-2024-45217

>= 6.6.0 and < 8.11.4

Insecure Default Initialization of Resource vulnerability in Apache Solr. New ConfigSets that are created via a Restore command,

8.1HIGH

CVE-2024-45216

>= 5.3.0 and < 8.11.4

Improper Authentication vulnerability in Apache Solr. Solr instances using the PKIAuthenticationPlugin, which is enabled by defau

9.8CRITICAL

CVE-2023-50386

>= 6.0.0 and < 8.11.3

Improper Control of Dynamically-Managed Code Resources, Unrestricted Upload of File with Dangerous Type, Inclusion of Functionalit

8.8HIGH

CVE-2023-50298

>= 6.0.0 and < 8.11.3

Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache Solr.This issue affects Apache Solr: from 6.0.0

7.5HIGH

CVE-2023-50292

>= 6.0.0 and < 8.11.3

Incorrect Permission Assignment for Critical Resource, Improper Control of Dynamically-Managed Code Resources vulnerability in Apa

7.5HIGH

CVE-2023-50291

>= 6.0.0 and < 8.11.3

Insufficiently Protected Credentials vulnerability in Apache Solr. This issue affects Apache Solr: from 6.0.0 through 8.11.2, fro

7.5HIGH

CVE-2023-50290

>= 9.0.0 and < 9.3.0

Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache Solr. The Solr Metrics API publishes all unprot

6.5MEDIUM

CVE-2023-44487

< 9.4.0

The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams q

7.5HIGH

CVE-2021-44548

< 8.11.1

An Improper Input Validation vulnerability in DataImportHandler of Apache Solr allows an attacker to provide a Windows UNC path re

9.8CRITICAL

CVE-2021-33813

all versions

An XXE issue in SAXBuilder in JDOM through 2.0.6 allows attackers to cause a denial of service via a crafted HTTP request.

7.5HIGH

CVE-2021-29943

< 8.8.2

When using ConfigurableInternodeAuthHadoopPlugin for authentication, Apache Solr versions prior to 8.8.2 would forward/proxy distr

9.1CRITICAL

CVE-2021-29262

< 8.8.2

When starting Apache Solr versions prior to 8.8.2, configured with the SaslZkACLProvider or VMParamsAllAndReadonlyDigestZkACLProvi

7.5HIGH

CVE-2021-27905

< 8.8.2

The ReplicationHandler (normally registered at "/replication" under a Solr core) in Apache Solr has a "masterUrl" (also "leaderUrl

9.8CRITICAL

CVE-2021-28163

all versions

In Eclipse Jetty 9.4.32 to 9.4.38, 10.0.0.beta2 to 10.0.1, and 11.0.0.beta2 to 11.0.1, if a user uses a webapps directory that is

2.7LOW

CVE-2020-27223

all versions

In Eclipse Jetty 9.4.6.v20170531 to 9.4.36.v20210114 (inclusive), 10.0.0, and 11.0.0 when Jetty handles a request containing multi

5.2MEDIUM

CVE-2020-9492

all versions

In Apache Hadoop 3.2.0 to 3.2.1, 3.0.0-alpha1 to 3.1.3, and 2.0.0-alpha to 2.10.0, WebHDFS client might send SPNEGO authorization

8.8HIGH

CVE-2020-13957

>= 6.6.0 and <= 6.6.6

Apache Solr versions 6.6.0 to 6.6.6, 7.0.0 to 7.7.3 and 8.0.0 to 8.6.2 prevents some features considered dangerous (which could be

9.8CRITICAL

CVE-2020-13941

< 8.6.0

Reported in SOLR-14515 (private) and fixed in SOLR-14561 (public), released in Solr version 8.6.0. The Replication handler (https:

8.8HIGH

CVE-2018-11802

>= 4.2.0 and < 6.6.6

In Apache Solr, the cluster can be partitioned into multiple collections and only a subset of nodes actually host any given collec

4.3MEDIUM

CVE-2019-17558

>= 5.0.0 and < 7.7.3

Apache Solr 5.0.0 to Apache Solr 8.3.1 are vulnerable to a Remote Code Execution through the VelocityResponseWriter. A Velocity te

7.5HIGH

CVE-2019-12409

all versions

The 8.1.1 and 8.2.0 releases of Apache Solr contain an insecure setting for the ENABLE_REMOTE_JMX_OPTS configuration option in the

9.8CRITICAL

CVE-2019-12401

>= 1.3.0 and <= 1.4.1

Solr versions 1.3.0 to 1.4.1, 3.1.0 to 3.6.2 and 4.0.0 to 4.10.4 are vulnerable to an XML resource consumption attack (a.k.a. Lol

7.5HIGH

CVE-2019-0193

< 7.7.3

In Apache Solr, the DataImportHandler, an optional but popular module to pull in data from databases and other sources, has a feat

7.2HIGH

CVE-2017-3164

>= 1.3.0 and <= 7.6.0

Server Side Request Forgery in Apache Solr, versions 1.3 until 7.6 (inclusive). Since the "shards" parameter does not have a corre

7.5HIGH

CVE-2019-0192

>= 5.0.0 and <= 5.5.5

In Apache Solr versions 5.0.0 to 5.5.5 and 6.0.0 to 6.6.5, the Config API allows to configure the JMX server via an HTTP POST requ

9.8CRITICAL

CVE-2018-8026

> 6.0.0 and <= 6.6.4

This vulnerability in Apache Solr 6.0.0 to 6.6.4 and 7.0.0 to 7.3.1 relates to an XML external entity expansion (XXE) in Solr conf

5.5MEDIUM

CVE-2018-8010

>= 6.0.0 and <= 6.6.3

This vulnerability in Apache Solr 6.0.0 to 6.6.3, 7.0.0 to 7.3.0 relates to an XML external entity expansion (XXE) in Solr config

5.5MEDIUM

CVE-2018-1308

>= 1.2 and <= 6.6.2

This vulnerability in Apache Solr 1.2 to 6.6.2 and 7.0.0 to 7.2.1 relates to an XML external entity expansion (XXE) in the `&dataC

7.5HIGH

CVE-2017-1000190

all versions

SimpleXML (latest version 2.7.1) is vulnerable to an XXE vulnerability resulting SSRF, information disclosure, DoS and so on.

9.1CRITICAL

CVE-2017-12629

>= 5.5.0 and <= 5.5.4

Remote code execution occurs in Apache Solr before 7.1 with Apache Lucene before 7.1 by exploiting XXE in conjunction with use of

9.8CRITICAL

CVE-2017-9803

all versions

Apache Solr's Kerberos plugin can be configured to use delegation tokens, which allows an application to reuse the authentication

7.5HIGH

CVE-2017-3163

<= 5.5.3

When using the Index Replication feature, Apache Solr nodes can pull index files from a master/leader node using an HTTP API which

7.5HIGH

CVE-2017-7660

all versions

Apache Solr uses a PKI based mechanism to secure inter-node communication when security is enabled. It is possible to create a spe

7.5HIGH

CVE-2015-8797

<= 5.3

Cross-site scripting (XSS) vulnerability in webapp/web/js/scripts/plugins.js in the stats page in the Admin UI in Apache Solr befo

6.1MEDIUM

CVE-2015-8796

<= 5.2.1

Cross-site scripting (XSS) vulnerability in webapp/web/js/scripts/schema-browser.js in the Admin UI in Apache Solr before 5.3 allo

6.1MEDIUM

CVE-2015-8795

<= 5.0

Multiple cross-site scripting (XSS) vulnerabilities in the Admin UI in Apache Solr before 5.1 allow remote attackers to inject arb

6.1MEDIUM

CVE-2014-3628

all versions

Cross-site scripting (XSS) vulnerability in the Admin UI Plugin / Stats page in Apache Solr 4.x before 4.10.3 allows remote attack

CVE-2012-6612

<= 4.0.0

The (1) UpdateRequestHandler for XSLT or (2) XPathEntityProcessor in Apache Solr before 4.1 allows remote attackers to have an uns

CVE-2013-6408

<= 4.3.0

The DocumentAnalysisRequestHandler in Apache Solr before 4.3.1 does not properly use the EmptyEntityResolver, which allows remote

CVE-2013-6407

<= 4.0.0

The UpdateRequestHandler for XML in Apache Solr before 4.1 allows remote attackers to have an unspecified impact via XML data cont

CVE-2013-6397

<= 4.5.1

Directory traversal vulnerability in SolrResourceLoader in Apache Solr before 4.6 allows remote attackers to read arbitrary files

CVE-2009-3821

all versions

Cross-site scripting (XSS) vulnerability in the Apache Solr Search (solr) extension 1.0.0 for TYPO3 allows remote attackers to inj

apache solr