[
https://issues.apache.org/jira/browse/SOLR-18054?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Jason Gerlowski updated SOLR-18054:
-----------------------------------
Security: Public (was: Private (Security Issue))
> Predefined permission rules can be skipped for certain unexpected HTTP method
> and path deviations
> -------------------------------------------------------------------------------------------------
>
> Key: SOLR-18054
> URL: https://issues.apache.org/jira/browse/SOLR-18054
> Project: Solr
> Issue Type: Bug
> Security Level: Public(Default Security Level. Issues are Public)
> Components: security
> Affects Versions: 9.10
> Reporter: Jan Høydahl
> Assignee: Jason Gerlowski
> Priority: Blocker
> Fix For: 10.0, 9.10.1
>
> Attachments: SOLR-18054-enum.patch, SOLR-18054-expanded.patch,
> SOLR-18054-zk-and-info-apis.patch, SOLR-18054-zk-and-infos-api-v2.patch,
> SOLR-18054.patch
>
>
> This issue tracks a reported vulnerability on the security@ list by
> monkeontheroof on December 19th 2025. See list for details.
> This Jira will track the solution, patches and will eventually be made public
> after release of both 10.0 and 9.11.
> EDIT: This issue is also being used to track two subsequent security@ reports
> made by monkeontheroof and Indig0 on January 11th, which share the same root
> cause as the original reports - that is, tricking a getPermissionName to
> return null and therefore bypass a predefined permission.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
