CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:N/A:N
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
AI Score
Confidence
High
EPSS
Percentile
76.8%
Package : lucene-solr
Version : 3.6.0+dfsg-1+deb7u2
CVE ID : CVE-2017-3163
Debian Bug : 867712
lucene-solr handler supports an HTTP API (/replication?command=filecontent&file=<file_name>)
which is vulnerable to path traversal attack. Specifically, this API does not
perform any validation of the user specified file_name parameter. This can
allow an attacker to download any file readable to Solr server process even if
it is not related to the actual Solr index state.
For Debian 7 "Wheezy", this problem has been fixed in version
3.6.0+dfsg-1+deb7u2.
We recommend that you upgrade your lucene-solr packages.
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
Debian | 9 | all | liblucene3-java-doc | < 3.6.2+dfsg-10+deb9u1 | liblucene3-java-doc_3.6.2+dfsg-10+deb9u1_all.deb |
Debian | 9 | all | solr-common | < 3.6.2+dfsg-10+deb9u1 | solr-common_3.6.2+dfsg-10+deb9u1_all.deb |
Debian | 8 | all | lucene-solr | < 3.6.2+dfsg-5+deb8u1 | lucene-solr_3.6.2+dfsg-5+deb8u1_all.deb |
Debian | 7 | all | solr-jetty | < 3.6.0+dfsg-1+deb7u2 | solr-jetty_3.6.0+dfsg-1+deb7u2_all.deb |
Debian | 9 | all | liblucene3-contrib-java | < 3.6.2+dfsg-10+deb9u1 | liblucene3-contrib-java_3.6.2+dfsg-10+deb9u1_all.deb |
Debian | 8 | all | libsolr-java | < 3.6.2+dfsg-5+deb8u1 | libsolr-java_3.6.2+dfsg-5+deb8u1_all.deb |
Debian | 9 | all | solr-jetty | < 3.6.2+dfsg-10+deb9u1 | solr-jetty_3.6.2+dfsg-10+deb9u1_all.deb |
Debian | 8 | all | solr-jetty | < 3.6.2+dfsg-5+deb8u1 | solr-jetty_3.6.2+dfsg-5+deb8u1_all.deb |
Debian | 7 | all | liblucene3-contrib-java | < 3.6.0+dfsg-1+deb7u2 | liblucene3-contrib-java_3.6.0+dfsg-1+deb7u2_all.deb |
Debian | 9 | all | liblucene3-java | < 3.6.2+dfsg-10+deb9u1 | liblucene3-java_3.6.2+dfsg-10+deb9u1_all.deb |
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:N/A:N
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
AI Score
Confidence
High
EPSS
Percentile
76.8%