{"id":"CVE-2017-7660","details":"Apache Solr uses a PKI based mechanism to secure inter-node communication when security is enabled. It is possible to create a specially crafted node name that does not exist as part of the cluster and point it to a malicious node. This can trick the nodes in cluster to believe that the malicious node is a member of the cluster. So, if Solr users have enabled BasicAuth authentication mechanism using the BasicAuthPlugin or if the user has implemented a custom Authentication plugin, which does not implement either \"HttpClientInterceptorPlugin\" or \"HttpClientBuilderPlugin\", his/her servers are vulnerable to this attack. Users who only use SSL without basic authentication or those who use Kerberos are not affected.","aliases":["GHSA-c82r-qg3w-q5mv"],"modified":"2026-04-10T04:00:59.123555Z","published":"2017-07-07T19:29:00.197Z","references":[{"type":"ADVISORY","url":"http://mail-archives.us.apache.org/mod_mbox/www-announce/201707.mbox/%3CCAOOKt53EgrybaD%2BiSn-nBbvFdse-szhg%3DhMoDZuvUvyMme-Z%3Dg%40mail.gmail.com%3E"},{"type":"ADVISORY","url":"http://www.securityfocus.com/bid/99485"},{"type":"ADVISORY","url":"https://security.netapp.com/advisory/ntap-20181127-0003/"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/apache/lucene-solr","events":[{"introduced":"0"},{"last_affected":"cb922f860e8f7522287b55ea4bcd1059219bc1b3"},{"introduced":"0"},{"last_affected":"d218c56d3fe3b18e5b1c79e4e61f93c0b31408b6"},{"introduced":"0"},{"last_affected":"d57d7b14883a4b27990ee88419ac89dbed8f34bf"},{"introduced":"0"},{"last_affected":"0a1dd10d5262153f4188dfa14a08ba28ec4ccb60"},{"introduced":"0"},{"last_affected":"f54d853a3c3a2ddcf24ee7e2c837dc4d403bc0b0"},{"introduced":"0"},{"last_affected":"2a228b3920a07f930f7afb6a42d0d20e184a943c"},{"introduced":"0"},{"last_affected":"c08f17bca0d9cbf516874d13d221ab100e5b7d58"},{"introduced":"0"},{"last_affected":"8e5d40b22a3968df065dfc078ef81cbb031f0e4a"},{"introduced":"0"},{"last_affected":"8655b97b27d8da470c8235683af11a8b85a2b10f"},{"introduced":"0"},{"last_affected":"31012120ebbd93744753eb37f1dbc5e654628291"},{"introduced":"0"},{"last_affected":"48c80f91b8e5cd9b3a9b48e6184bd53e7619e7e3"},{"introduced":"0"},{"last_affected":"c7510a0fdd93329ec04c853c8557f4a3f2309eaf"},{"introduced":"0"},{"last_affected":"4726c5b2d2efa9ba160b608d46a977d0a6b83f94"},{"introduced":"0"},{"last_affected":"764d0f19151dbff6f5fcd9fc4b2682cf934590c5"},{"introduced":"0"},{"last_affected":"43ab70147eb494324a1410f7a9f16a896a59bc6f"},{"introduced":"0"},{"last_affected":"a66a44513ee8191e25b477372094bfa846450316"},{"introduced":"0"},{"last_affected":"bbe4b08cc1fb673d0c3eb4b8455f23ddc1364124"},{"introduced":"0"},{"last_affected":"72f75b2503fa0aa4f0aff76d439874feb923bb0e"},{"introduced":"0"},{"last_affected":"34a975ca3d4bd7fa121340e5bcbf165929e0542f"},{"introduced":"0"},{"last_affected":"4b16c9a10c3c00cafaf1fc92ec3276a7bc7b8c95"},{"introduced":"0"},{"last_affected":"cd1f23c63abe03ae650c75ec8ccb37762806cc75"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"5.3.0"},{"introduced":"0"},{"last_affected":"5.3.1"},{"introduced":"0"},{"last_affected":"5.3.2"},{"introduced":"0"},{"last_affected":"5.4.0"},{"introduced":"0"},{"last_affected":"5.4.1"},{"introduced":"0"},{"last_affected":"5.5.0"},{"introduced":"0"},{"last_affected":"5.5.1"},{"introduced":"0"},{"last_affected":"5.5.2"},{"introduced":"0"},{"last_affected":"5.5.3"},{"introduced":"0"},{"last_affected":"5.5.4"},{"introduced":"0"},{"last_affected":"6.0.0"},{"introduced":"0"},{"last_affected":"6.0.1"},{"introduced":"0"},{"last_affected":"6.1.0"},{"introduced":"0"},{"last_affected":"6.2.0"},{"introduced":"0"},{"last_affected":"6.2.1"},{"introduced":"0"},{"last_affected":"6.3.0"},{"introduced":"0"},{"last_affected":"6.4.0"},{"introduced":"0"},{"last_affected":"6.4.1"},{"introduced":"0"},{"last_affected":"6.4.2"},{"introduced":"0"},{"last_affected":"6.5.0"},{"introduced":"0"},{"last_affected":"6.5.1"}]}}],"versions":["grafts/lucene-oldest","grafts/lucene-solr-copy","grafts/lucene-solr-oldest-merged","history/branches/lucene-solr/lucene-6997","history/branches/lucene-solr/lucene_solr_5_4","releases/lucene-solr/5.3.0","releases/lucene-solr/5.3.1","releases/lucene-solr/5.3.2","releases/lucene-solr/5.4.0","releases/lucene-solr/5.4.1","releases/lucene-solr/5.5.0","releases/lucene-solr/5.5.1","releases/lucene-solr/5.5.2","releases/lucene-solr/5.5.3","releases/lucene-solr/5.5.4","releases/lucene-solr/6.0.0","releases/lucene-solr/6.0.1","releases/lucene-solr/6.1.0","releases/lucene-solr/6.2.0","releases/lucene-solr/6.2.1","releases/lucene-solr/6.3.0","releases/lucene-solr/6.4.0","releases/lucene-solr/6.4.1","releases/lucene-solr/6.4.2","releases/lucene-solr/6.5.0","releases/lucene-solr/6.5.1"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2017-7660.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"}]}