The ReplicationHandler (normally registered at /replication under a Solr core) in Apache Solr has a masterUrl (also leaderUrl alias) parameter that is used to designate another ReplicationHandler on another Solr core to replicate index data into the local core. To prevent a SSRF vulnerability, Solr ought to check these parameters against a similar configuration it uses for the shards parameter. Prior to this bug getting fixed, it did not. This problem affects essentially all Solr versions prior to it getting fixed in 8.8.2.
The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Solr | Apache | * | 8.8.2 (excluding) |
| Lucene-solr | Ubuntu | bionic | * |
| Lucene-solr | Ubuntu | groovy | * |
| Lucene-solr | Ubuntu | hirsute | * |
| Lucene-solr | Ubuntu | impish | * |
| Lucene-solr | Ubuntu | kinetic | * |
| Lucene-solr | Ubuntu | lunar | * |
| Lucene-solr | Ubuntu | mantic | * |
| Lucene-solr | Ubuntu | trusty | * |
| Lucene-solr | Ubuntu | trusty/esm | * |
| Lucene-solr | Ubuntu | xenial | * |