CVE-2020-13957
Incorrect Authorization in Apache Solr
9.8
CRITICAL
CVSS 3.1
EPSS 84.8%
Description
Apache Solr versions 6.6.0 to 6.6.6, 7.0.0 to 7.7.3 and 8.0.0 to 8.6.2 prevents some features considered dangerous (which could be used for remote code execution) to be configured in a ConfigSet that's uploaded via API without authentication/authorization. The checks in place to prevent such features can be circumvented by using a combination of UPLOAD/CREATE actions. This issue is patched in 8.6.3.
How to fix CVE-2020-13957
To remediate CVE-2020-13957, upgrade the affected package to a fixed version below.
- —upgrade to 6.6.7 or later
- —upgrade to 8.6.3 or later
- —upgrade to 8.6.3 or later
- —upgrade to 8.6.3 or later
Is CVE-2020-13957 being exploited?
Likely — EPSS is 84.8%, placing CVE-2020-13957 in the top tier of vulnerabilities by exploitation probability. Prioritise patching.
Affected packages (4)
- >= 6.6.0, < 6.6.7, >= 7.0.0, < 7.7.4, >= 8.0.0, < 8.6.3
- >= 6.6.0, < 8.6.3
- >= 6.6.0, < 8.6.3
- >= 6.6.0, < 8.6.3
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | CRITICAL9.8 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |