N/A

CVSS Score

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

GHSA-7crc-r3wg-cfgf

GHSA-7crc-r3wg-cfgf: Json response for search reveals Solr credentials

Impact

An error in Ibexa's Solr search engine results in potential exposure of Solr credentials. This is a critical vulnerability and all supported versions of the engine are affected. Those not using the Solr search engine are not affected.

Patches

The issue is fixed in all supported versions of ezsystems/ezplatform-solr-search-engine, see "Patched versions". An advisory is also published for ibexa/solr, please see that repository. Commit: https://github.com/ezsystems/ezplatform-solr-search-engine/commit/1005e02cc32ff15a705857fa56171528a83b9c3e

Workarounds

None.

References

https://developers.ibexa.co/security-advisories/ibexa-sa-2023-005-vulnerabilities-in-solr-search-and-file-downloads

(GitHub Advisory)

Miggo Vulnerability Database

→

GHSA-7crc-r3wg-cfgf

GHSA-7crc-r3wg-cfgf:

N/A

CVSS Score

-

CVSS Score

Basic Information

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
ezsystems/ezplatform-solr-search-engine	composer	>= 3.3.0, < 3.3.15	3.3.15
ezsystems/ezplatform-solr-search-engine	composer	>= 2.0.0, < 2.0.2	2.0.2
ezsystems/ezplatform-solr-search-engine	composer	>= 1.7.0, < 1.7.12	1.7.12

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The commit diff shows the authorization credentials (user:pass) were removed from getIdentifier() and moved to getURL(). This indicates getIdentifier() was previously constructing a credential-containing string that might have been exposed in API responses. The vulnerability stems from sensitive data being included in an identifier that's part of external outputs, while the patched version limits credential handling to getURL() which is used for internal Solr communication.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

N/A

-

Basic Information

Basic Information

Concerned about an active attack path?

GHSA-7crc-r3wg-cfgf: Json response for search reveals Solr credentials

Impact

Patches

Workarounds

References

GHSA-7crc-r3wg-cfgf:

N/A

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Basic Information

Basic Information

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

N/A

N/A

GHSA-7crc-r3wg-cfgf: Json response for search reveals Solr credentials

Impact

Patches

Workarounds

References

Technical Details

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI