High severity7.5NVD Advisory· Published Aug 30, 2017· Updated May 13, 2026

CVE-2017-3163

Description

When using the Index Replication feature, Apache Solr nodes can pull index files from a master/leader node using an HTTP API which accepts a file name. However, Solr before 5.5.4 and 6.x before 6.4.1 did not validate the file name, hence it was possible to craft a special request involving path traversal, leaving any file readable to the Solr server process exposed. Solr servers protected and restricted by firewall rules and/or authentication would not be at risk since only trusted clients and users would gain direct HTTP access.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
org.apache.solr:solr-coreMaven	< 5.5.4	5.5.4
org.apache.solr:solr-coreMaven	>= 6.0.0, < 6.4.1	6.4.1

Affected products

Apache/Solr8 versions
cpe:2.3:a:apache:solr:*:*:*:*:*:*:*:*+ 7 more
- cpe:2.3:a:apache:solr:*:*:*:*:*:*:*:*range: <=5.5.3
- cpe:2.3:a:apache:solr:6.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:apache:solr:6.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:apache:solr:6.1.0:*:*:*:*:*:*:*
- cpe:2.3:a:apache:solr:6.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:apache:solr:6.2.1:*:*:*:*:*:*:*
- cpe:2.3:a:apache:solr:6.3.0:*:*:*:*:*:*:*
- cpe:2.3:a:apache:solr:6.4.0:*:*:*:*:*:*:*
Apache Software Foundation/Apache Solrv5
Range: 1.4.0 to 5.5.3

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

News mentions

No linked articles in our index yet.

cvss	0.488
epss	0.009
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000