SynopsisApache Solr < 5.5.4 Directory Traversal
DescriptionWhen using the Index Replication feature, Apache Solr nodes can pull index files from a master/leader node using an HTTP API which accepts a file name. Solr versions < 5.5.4 and 6.x < 6.4.1 do not validate this file name allowing for a remote, unauthenticated attacker to access any file(s) readable by the Solr application.
Note that the scanner has not tested for these issues but has instead relied only on the application's self-reported version number.
SolutionUpdate to Apache Solr version 5.5.4 or latest.