{ "CVE_data_meta": { "ASSIGNER": "security@apache.org", "ID": "CVE-2021-29262", "STATE": "PUBLIC", "TITLE": "Misapplied Zookeeper ACLs can result in leakage of configured authentication and authorization settings" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "Apache Solr", "version": { "version_data": [ { "version_affected": "<", "version_name": "Apache Solr", "version_value": "8.8.2" } ] } } ] }, "vendor_name": "Apache Software Foundation" } ] } }, "credit": [ { "lang": "eng", "value": "Timothy Potter and Mike Drob, Apple Cloud Services" } ], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "When starting Apache Solr versions prior to 8.8.2, configured with the SaslZkACLProvider or VMParamsAllAndReadonlyDigestZkACLProvider and no existing security.json znode, if the optional read-only user is configured then Solr would not treat that node as a sensitive path and would allow it to be readable. Additionally, with any ZkACLProvider, if the security.json is already present, Solr will not automatically update the ACLs." } ] }, "generator": { "engine": "Vulnogram 0.0.9" }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "CWE-522 Insufficiently Protected Credentials" } ] } ] }, "references": { "reference_data": [ { "refsource": "MISC", "url": "https://lists.apache.org/thread.html/r536da4c4e4e406f7843461cc754a3d0a3fe575aa576e2b71a9cd57d0%40%3Cannounce.apache.org%3E", "name": "https://lists.apache.org/thread.html/r536da4c4e4e406f7843461cc754a3d0a3fe575aa576e2b71a9cd57d0%40%3Cannounce.apache.org%3E" }, { "refsource": "CONFIRM", "name": "https://security.netapp.com/advisory/ntap-20210604-0009/", "url": "https://security.netapp.com/advisory/ntap-20210604-0009/" }, { "refsource": "MLIST", "name": "[jackrabbit-oak-issues] 20210730 [jira] [Created] (OAK-9520) CVE-2021-29262 in oak-solr-osgi", "url": "https://lists.apache.org/thread.html/r51b29ff62060b67bc9999ded5e252b36b09311fe5a02d27f6de3e4d3@%3Coak-issues.jackrabbit.apache.org%3E" }, { "refsource": "MLIST", "name": "[jackrabbit-oak-issues] 20210730 [jira] [Assigned] (OAK-9520) CVE-2021-29262 in oak-solr-osgi", "url": "https://lists.apache.org/thread.html/r1171f6417eeb6d5e1206d53e2b2ff2d6ee14026f8b595ef7d8a33b79@%3Coak-issues.jackrabbit.apache.org%3E" }, { "refsource": "MLIST", "name": "[jackrabbit-oak-issues] 20210730 [jira] [Commented] (OAK-9520) CVE-2021-29262 in oak-solr-osgi", "url": "https://lists.apache.org/thread.html/rbc680cbfd745f22d182158217428a296e8e398cde16f3f428fe4bddc@%3Coak-issues.jackrabbit.apache.org%3E" }, { "refsource": "MLIST", "name": "[jackrabbit-dev] 20210730 [GitHub] [jackrabbit-oak] nit0906 opened a new pull request #334: OAK-9520 | Updating solr version to handle/fix CVE-2021-29262", "url": "https://lists.apache.org/thread.html/rb6db683903174eaa44ec80cc118a38574319b0d4181f36b61ee6278f@%3Cdev.jackrabbit.apache.org%3E" }, { "refsource": "MLIST", "name": "[jackrabbit-oak-issues] 20210730 [jira] [Updated] (OAK-9520) CVE-2021-29262 in oak-solr-osgi", "url": "https://lists.apache.org/thread.html/r1e92a2eff6c47a65c4a6e95e809a9707181de76f8062403a0bea1012@%3Coak-issues.jackrabbit.apache.org%3E" }, { "refsource": "MLIST", "name": "[jackrabbit-oak-issues] 20210730 [jira] [Resolved] (OAK-9520) CVE-2021-29262 in oak-solr-osgi", "url": "https://lists.apache.org/thread.html/r9c4ce6903218c92ef2583070e64af5a69e483821c4b3016dc41e3c6f@%3Coak-issues.jackrabbit.apache.org%3E" }, { "refsource": "MLIST", "name": "[jackrabbit-oak-commits] 20210730 [jackrabbit-oak] branch trunk updated: OAK-9520 | Updating solr version to handle/fix CVE-2021-29262 (#334)", "url": "https://lists.apache.org/thread.html/rd85f87e559ee27e9c69795e3ad93a77621895e0328ea3df41d711d72@%3Coak-commits.jackrabbit.apache.org%3E" }, { "refsource": "MLIST", "name": "[jackrabbit-dev] 20210730 [GitHub] [jackrabbit-oak] nit0906 merged pull request #334: OAK-9520 | Updating solr version to handle/fix CVE-2021-29262", "url": "https://lists.apache.org/thread.html/ref84e60192f4bdc3206b247f260513e8d4e71f3e200792f75386d07a@%3Cdev.jackrabbit.apache.org%3E" }, { "refsource": "MLIST", "name": "[jackrabbit-oak-issues] 20210730 [jira] [Commented] (OAK-9520) CVE-2021-29262 in oak-solr-osgi", "url": "https://lists.apache.org/thread.html/r7151081abab92a827a607205c4260b0a3d22280b52d15bc909177608@%3Coak-issues.jackrabbit.apache.org%3E" }, { "refsource": "MLIST", "name": "[jackrabbit-oak-issues] 20211006 [jira] [Updated] (OAK-9520) CVE-2021-29262 in oak-solr-osgi", "url": "https://lists.apache.org/thread.html/r8d35eeb9a470d2682b5bcf3be0b8942faa7e28f9ca5861c058d17fff@%3Coak-issues.jackrabbit.apache.org%3E" } ] }, "source": { "defect": [ "SOLR-15249" ], "discovery": "UNKNOWN" }, "work_around": [ { "lang": "eng", "value": "Manually set appropriate ACLs on /security.json znode." } ] }