Medium severity4.3NVD Advisory· Published Apr 1, 2020· Updated Apr 15, 2026

CVE-2018-11802

Description

In Apache Solr, the cluster can be partitioned into multiple collections and only a subset of nodes actually host any given collection. However, if a node receives a request for a collection it does not host, it proxies the request to a relevant node and serves the request. Solr bypasses all authorization settings for such requests. This affects all Solr versions prior to 7.7 that use the default authorization mechanism of Solr (RuleBasedAuthorizationPlugin).

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
org.apache.solr:solr-parentMaven	>= 7.0.0, < 7.7.0	7.7.0
org.apache.solr:solr-parentMaven	< 6.6.6	6.6.6
org.apache.solr:solr-coreMaven	>= 7.0.0, < 7.7.0	7.7.0
org.apache.solr:solr-coreMaven	< 6.6.6	6.6.6

Affected products

Apache/Solr
cpe:2.3:a:apache:solr:*:*:*:*:*:*:*:*
Range: >=4.2.0,<6.6.6

Patches

68fa249034ba

https://github.com/apache/lucene-solrvia osv

8c831daf4eb4

https://github.com/apache/lucene-solrvia osv

add003f21780

SOLR-12514: Rule-base Authorization plugin skips authorization if querying node does not have collection replica

https://github.com/apache/lucene-solrIshan ChattopadhyayaMar 19, 2019via ghsa

commit

6 files changed · +42 −2

solr/CHANGES.txt+5 −0 modified

@@ -29,10 +29,15 @@ Apache UIMA 2.3.1
 Apache ZooKeeper 3.4.10
 Jetty 9.3.14.v20161028
 
+Bug Fixes
+----------------------
 
 * SOLR-10506: Fix memory leak (upon collection reload or ZooKeeper session expiry) in ZkIndexSchemaReader.
   (Torsten Bøgh Köster, Christine Poerschke, Jörg Rathlev, Mike Drob)
 
+* SOLR-12514: Rule-base Authorization plugin skips authorization if querying node does not have collection
+  replica (noble)
+
 ==================  6.6.5 ==================
 
 Consult the LUCENE_CHANGES.txt file for additional, low level, changes in this release.

solr/core/src/java/org/apache/solr/request/SolrRequestInfo.java+14 −0 modified

@@ -16,8 +16,10 @@
  */
 package org.apache.solr.request;
 
+import javax.servlet.http.HttpServletRequest;
 import java.io.Closeable;
 import java.lang.invoke.MethodHandles;
+import java.security.Principal;
 import java.util.Date;
 import java.util.LinkedList;
 import java.util.List;
@@ -40,6 +42,7 @@ public class SolrRequestInfo {
   protected SolrQueryRequest req;
   protected SolrQueryResponse rsp;
   protected Date now;
+  protected HttpServletRequest httpRequest;
   protected TimeZone tz;
   protected ResponseBuilder rb;
   protected List<Closeable> closeHooks;
@@ -83,6 +86,17 @@ public SolrRequestInfo(SolrQueryRequest req, SolrQueryResponse rsp) {
     this.req = req;
     this.rsp = rsp;    
   }
+  public SolrRequestInfo(HttpServletRequest  httpReq, SolrQueryResponse rsp) {
+    this.httpRequest = httpReq;
+    this.rsp = rsp;
+  }
+
+  public Principal getUserPrincipal() {
+    if (req != null) return req.getUserPrincipal();
+    if (httpRequest != null) return httpRequest.getUserPrincipal();
+    return null;
+  }
+
 
   public Date getNOW() {    
     if (now != null) return now;

solr/core/src/java/org/apache/solr/security/PKIAuthenticationPlugin.java+1 −1 modified

@@ -272,7 +272,7 @@ void setHeader(HttpRequest httpRequest) {
     SolrRequestInfo reqInfo = getRequestInfo();
     String usr;
     if (reqInfo != null) {
-      Principal principal = reqInfo.getReq().getUserPrincipal();
+      Principal principal = reqInfo.getUserPrincipal();
       if (principal == null) {
         //this had a request but not authenticated
         //so we don't not need to set a principal

solr/core/src/java/org/apache/solr/servlet/HttpSolrCall.java+1 −0 modified

@@ -510,6 +510,7 @@ public Action call() throws IOException {
           handleAdminRequest();
           return RETURN;
         case REMOTEQUERY:
+          SolrRequestInfo.setRequestInfo(new SolrRequestInfo(req, new SolrQueryResponse()));
           remoteQuery(coreUrl + path, resp);
           return RETURN;
         case PROCESS:

solr/core/src/test/org/apache/solr/security/BasicAuthIntegrationTest.java+20 −0 modified

@@ -38,6 +38,7 @@
 import org.apache.http.message.AbstractHttpMessage;
 import org.apache.http.message.BasicHeader;
 import org.apache.http.util.EntityUtils;
+import org.apache.solr.client.solrj.SolrClient;
 import org.apache.solr.client.solrj.SolrRequest;
 import org.apache.solr.client.solrj.embedded.JettySolrRunner;
 import org.apache.solr.client.solrj.impl.HttpClientUtil;
@@ -204,6 +205,25 @@ public void testBasicAuth() throws Exception {
       update.setCommitWithin(100);
       cluster.getSolrClient().request(update, COLLECTION);
 
+      //Test for SOLR-12514. Create a new jetty . This jetty does not have the collection.
+      //Make a request to that jetty and it should fail
+      JettySolrRunner aNewJetty = cluster.startJettySolrRunner();
+      SolrClient aNewClient = aNewJetty.newClient();
+      UpdateRequest delQuery = null;
+      delQuery = new UpdateRequest().deleteByQuery("*:*");
+      delQuery.setBasicAuthCredentials("harry","HarryIsUberCool");
+      delQuery.process(aNewClient, COLLECTION);//this should succeed
+      try {
+        delQuery = new UpdateRequest().deleteByQuery("*:*");
+        delQuery.process(aNewClient, COLLECTION);
+        fail("This should not have succeeded without credentials");
+      } catch (HttpSolrClient.RemoteSolrException e) {
+        assertTrue(e.getMessage().contains("Unauthorized request"));
+      } finally {
+        aNewClient.close();
+        aNewJetty.stop();
+      }
+
 
       executeCommand(baseUrl + authcPrefix, cl, "{set-property : { blockUnknown: true}}", "harry", "HarryIsUberCool");
       verifySecurityStatus(cl, baseUrl + authcPrefix, "authentication/blockUnknown", "true", 20, "harry", "HarryIsUberCool");

solr/core/src/test/org/apache/solr/security/HttpParamDelegationTokenPlugin.java+1 −1 modified

@@ -77,7 +77,7 @@ public void process(HttpRequest httpRequest, HttpContext httpContext) throws Htt
       SolrRequestInfo reqInfo = SolrRequestInfo.getRequestInfo();
       String usr;
       if (reqInfo != null) {
-        Principal principal = reqInfo.getReq().getUserPrincipal();
+        Principal principal = reqInfo.getUserPrincipal();
         if (principal == null) {
           //this had a request but not authenticated
           //so we don't not need to set a principal

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-j346-h5wc-rw2mghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2018-11802ghsaADVISORY
www.openwall.com/lists/oss-security/2019/04/24/1nvdMailing ListThird Party AdvisoryWEB
github.com/apache/lucene-solr/commit/add003f217806afb4e1604f697cdb0a5a7115895ghsaWEB
issues.apache.org/jira/browse/SOLR-12514ghsaWEB

News mentions

No linked articles in our index yet.

cvss	0.280
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000