{"api_version":"1","generated_at":"2026-04-22T21:27:17+00:00","cve":"CVE-2021-29262","urls":{"html":"https://cve.report/CVE-2021-29262","api":"https://cve.report/api/cve/CVE-2021-29262.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2021-29262","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2021-29262"},"summary":{"title":"CVE-2021-29262","description":"When starting Apache Solr versions prior to 8.8.2, configured with the SaslZkACLProvider or VMParamsAllAndReadonlyDigestZkACLProvider and no existing security.json znode, if the optional read-only user is configured then Solr would not treat that node as a sensitive path and would allow it to be readable. Additionally, with any ZkACLProvider, if the security.json is already present, Solr will not automatically update the ACLs.","state":"PUBLIC","assigner":"security@apache.org","published_at":"2021-04-13 07:15:00","updated_at":"2023-11-07 03:32:00"},"problem_types":["CWE-522"],"metrics":[],"references":[{"url":"https://lists.apache.org/thread.html/r1e92a2eff6c47a65c4a6e95e809a9707181de76f8062403a0bea1012@%3Coak-issues.jackrabbit.apache.org%3E","name":"[jackrabbit-oak-issues] 20210730 [jira] [Updated] (OAK-9520) CVE-2021-29262 in oak-solr-osgi","refsource":"MLIST","tags":[],"title":"Pony Mail!","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://security.netapp.com/advisory/ntap-20210604-0009/","name":"https://security.netapp.com/advisory/ntap-20210604-0009/","refsource":"CONFIRM","tags":[],"title":"April 2021 Apache Solr Vulnerabilities in NetApp Products | NetApp Product Security","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://lists.apache.org/thread.html/ref84e60192f4bdc3206b247f260513e8d4e71f3e200792f75386d07a@%3Cdev.jackrabbit.apache.org%3E","name":"[jackrabbit-dev] 20210730 [GitHub] [jackrabbit-oak] nit0906 merged pull request #334: OAK-9520 | Updating solr version to handle/fix CVE-2021-29262","refsource":"MLIST","tags":[],"title":"Pony Mail!","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://lists.apache.org/thread.html/r1e92a2eff6c47a65c4a6e95e809a9707181de76f8062403a0bea1012%40%3Coak-issues.jackrabbit.apache.org%3E","name":"[jackrabbit-oak-issues] 20210730 [jira] [Updated] (OAK-9520) CVE-2021-29262 in oak-solr-osgi","refsource":"","tags":[],"title":"","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://lists.apache.org/thread.html/r1171f6417eeb6d5e1206d53e2b2ff2d6ee14026f8b595ef7d8a33b79@%3Coak-issues.jackrabbit.apache.org%3E","name":"[jackrabbit-oak-issues] 20210730 [jira] [Assigned] (OAK-9520) CVE-2021-29262 in oak-solr-osgi","refsource":"MLIST","tags":[],"title":"Pony Mail!","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://lists.apache.org/thread.html/r8d35eeb9a470d2682b5bcf3be0b8942faa7e28f9ca5861c058d17fff%40%3Coak-issues.jackrabbit.apache.org%3E","name":"[jackrabbit-oak-issues] 20211006 [jira] [Updated] (OAK-9520) CVE-2021-29262 in oak-solr-osgi","refsource":"","tags":[],"title":"","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://lists.apache.org/thread.html/rd85f87e559ee27e9c69795e3ad93a77621895e0328ea3df41d711d72%40%3Coak-commits.jackrabbit.apache.org%3E","name":"[jackrabbit-oak-commits] 20210730 [jackrabbit-oak] branch trunk updated: OAK-9520 | Updating solr version to handle/fix CVE-2021-29262 (#334)","refsource":"","tags":[],"title":"","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://lists.apache.org/thread.html/r51b29ff62060b67bc9999ded5e252b36b09311fe5a02d27f6de3e4d3%40%3Coak-issues.jackrabbit.apache.org%3E","name":"[jackrabbit-oak-issues] 20210730 [jira] [Created] (OAK-9520) CVE-2021-29262 in oak-solr-osgi","refsource":"","tags":[],"title":"","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://lists.apache.org/thread.html/rbc680cbfd745f22d182158217428a296e8e398cde16f3f428fe4bddc%40%3Coak-issues.jackrabbit.apache.org%3E","name":"[jackrabbit-oak-issues] 20210730 [jira] [Commented] (OAK-9520) CVE-2021-29262 in oak-solr-osgi","refsource":"","tags":[],"title":"","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://lists.apache.org/thread.html/r7151081abab92a827a607205c4260b0a3d22280b52d15bc909177608@%3Coak-issues.jackrabbit.apache.org%3E","name":"[jackrabbit-oak-issues] 20210730 [jira] [Commented] (OAK-9520) CVE-2021-29262 in oak-solr-osgi","refsource":"MLIST","tags":[],"title":"Pony Mail!","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://lists.apache.org/thread.html/r536da4c4e4e406f7843461cc754a3d0a3fe575aa576e2b71a9cd57d0%40%3Cannounce.apache.org%3E","name":"https://lists.apache.org/thread.html/r536da4c4e4e406f7843461cc754a3d0a3fe575aa576e2b71a9cd57d0%40%3Cannounce.apache.org%3E","refsource":"MISC","tags":[],"title":"Pony Mail!","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://lists.apache.org/thread.html/rbc680cbfd745f22d182158217428a296e8e398cde16f3f428fe4bddc@%3Coak-issues.jackrabbit.apache.org%3E","name":"[jackrabbit-oak-issues] 20210730 [jira] [Commented] (OAK-9520) CVE-2021-29262 in oak-solr-osgi","refsource":"MLIST","tags":[],"title":"Pony Mail!","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://lists.apache.org/thread.html/r7151081abab92a827a607205c4260b0a3d22280b52d15bc909177608%40%3Coak-issues.jackrabbit.apache.org%3E","name":"[jackrabbit-oak-issues] 20210730 [jira] [Commented] (OAK-9520) CVE-2021-29262 in oak-solr-osgi","refsource":"","tags":[],"title":"","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://lists.apache.org/thread.html/rd85f87e559ee27e9c69795e3ad93a77621895e0328ea3df41d711d72@%3Coak-commits.jackrabbit.apache.org%3E","name":"[jackrabbit-oak-commits] 20210730 [jackrabbit-oak] branch trunk updated: OAK-9520 | Updating solr version to handle/fix CVE-2021-29262 (#334)","refsource":"MLIST","tags":[],"title":"Pony Mail!","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://lists.apache.org/thread.html/rb6db683903174eaa44ec80cc118a38574319b0d4181f36b61ee6278f@%3Cdev.jackrabbit.apache.org%3E","name":"[jackrabbit-dev] 20210730 [GitHub] [jackrabbit-oak] nit0906 opened a new pull request #334: OAK-9520 | Updating solr version to handle/fix CVE-2021-29262","refsource":"MLIST","tags":[],"title":"Pony Mail!","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://lists.apache.org/thread.html/ref84e60192f4bdc3206b247f260513e8d4e71f3e200792f75386d07a%40%3Cdev.jackrabbit.apache.org%3E","name":"[jackrabbit-dev] 20210730 [GitHub] [jackrabbit-oak] nit0906 merged pull request #334: OAK-9520 | Updating solr version to handle/fix CVE-2021-29262","refsource":"","tags":[],"title":"","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://lists.apache.org/thread.html/r51b29ff62060b67bc9999ded5e252b36b09311fe5a02d27f6de3e4d3@%3Coak-issues.jackrabbit.apache.org%3E","name":"[jackrabbit-oak-issues] 20210730 [jira] [Created] (OAK-9520) CVE-2021-29262 in oak-solr-osgi","refsource":"MLIST","tags":[],"title":"Pony Mail!","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://lists.apache.org/thread.html/r9c4ce6903218c92ef2583070e64af5a69e483821c4b3016dc41e3c6f%40%3Coak-issues.jackrabbit.apache.org%3E","name":"[jackrabbit-oak-issues] 20210730 [jira] [Resolved] (OAK-9520) CVE-2021-29262 in oak-solr-osgi","refsource":"","tags":[],"title":"","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://lists.apache.org/thread.html/rb6db683903174eaa44ec80cc118a38574319b0d4181f36b61ee6278f%40%3Cdev.jackrabbit.apache.org%3E","name":"[jackrabbit-dev] 20210730 [GitHub] [jackrabbit-oak] nit0906 opened a new pull request #334: OAK-9520 | Updating solr version to handle/fix CVE-2021-29262","refsource":"","tags":[],"title":"","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://lists.apache.org/thread.html/r8d35eeb9a470d2682b5bcf3be0b8942faa7e28f9ca5861c058d17fff@%3Coak-issues.jackrabbit.apache.org%3E","name":"[jackrabbit-oak-issues] 20211006 [jira] [Updated] (OAK-9520) CVE-2021-29262 in oak-solr-osgi","refsource":"MLIST","tags":[],"title":"Pony Mail!","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://lists.apache.org/thread.html/r1171f6417eeb6d5e1206d53e2b2ff2d6ee14026f8b595ef7d8a33b79%40%3Coak-issues.jackrabbit.apache.org%3E","name":"[jackrabbit-oak-issues] 20210730 [jira] [Assigned] (OAK-9520) CVE-2021-29262 in oak-solr-osgi","refsource":"","tags":[],"title":"","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://lists.apache.org/thread.html/r9c4ce6903218c92ef2583070e64af5a69e483821c4b3016dc41e3c6f@%3Coak-issues.jackrabbit.apache.org%3E","name":"[jackrabbit-oak-issues] 20210730 [jira] [Resolved] (OAK-9520) CVE-2021-29262 in oak-solr-osgi","refsource":"MLIST","tags":[],"title":"Pony Mail!","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://www.cve.org/CVERecord?id=CVE-2021-29262","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-29262","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[{"source":"LEGACY","value":"Timothy Potter and Mike Drob, Apple Cloud Services","lang":""}],"nvd_cpes":[{"cve_year":"2021","cve_id":"29262","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"apache","cpe5":"solr","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[{"cve":"CVE-2021-29262","qid":"150446","title":"Apache Solr Information Disclosure Vulnerability (CVE-2021-29262)"},{"cve":"CVE-2021-29262","qid":"980495","title":"Java (maven) Security Update for org.apache.solr:solr-core (GHSA-jgcr-fg3g-qvw8)"}]},"source_records":{"cve_program":{"CVE_data_meta":{"ASSIGNER":"security@apache.org","ID":"CVE-2021-29262","STATE":"PUBLIC","TITLE":"Misapplied Zookeeper ACLs can result in leakage of configured authentication and authorization settings"},"affects":{"vendor":{"vendor_data":[{"product":{"product_data":[{"product_name":"Apache Solr","version":{"version_data":[{"version_affected":"<","version_name":"Apache Solr","version_value":"8.8.2"}]}}]},"vendor_name":"Apache Software Foundation"}]}},"credit":[{"lang":"eng","value":"Timothy Potter and Mike Drob, Apple Cloud Services"}],"data_format":"MITRE","data_type":"CVE","data_version":"4.0","description":{"description_data":[{"lang":"eng","value":"When starting Apache Solr versions prior to 8.8.2, configured with the SaslZkACLProvider or VMParamsAllAndReadonlyDigestZkACLProvider and no existing security.json znode, if the optional read-only user is configured then Solr would not treat that node as a sensitive path and would allow it to be readable. Additionally, with any ZkACLProvider, if the security.json is already present, Solr will not automatically update the ACLs."}]},"generator":{"engine":"Vulnogram 0.0.9"},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"CWE-522 Insufficiently Protected Credentials"}]}]},"references":{"reference_data":[{"refsource":"MISC","url":"https://lists.apache.org/thread.html/r536da4c4e4e406f7843461cc754a3d0a3fe575aa576e2b71a9cd57d0%40%3Cannounce.apache.org%3E","name":"https://lists.apache.org/thread.html/r536da4c4e4e406f7843461cc754a3d0a3fe575aa576e2b71a9cd57d0%40%3Cannounce.apache.org%3E"},{"refsource":"CONFIRM","name":"https://security.netapp.com/advisory/ntap-20210604-0009/","url":"https://security.netapp.com/advisory/ntap-20210604-0009/"},{"refsource":"MLIST","name":"[jackrabbit-oak-issues] 20210730 [jira] [Created] (OAK-9520) CVE-2021-29262 in oak-solr-osgi","url":"https://lists.apache.org/thread.html/r51b29ff62060b67bc9999ded5e252b36b09311fe5a02d27f6de3e4d3@%3Coak-issues.jackrabbit.apache.org%3E"},{"refsource":"MLIST","name":"[jackrabbit-oak-issues] 20210730 [jira] [Assigned] (OAK-9520) CVE-2021-29262 in oak-solr-osgi","url":"https://lists.apache.org/thread.html/r1171f6417eeb6d5e1206d53e2b2ff2d6ee14026f8b595ef7d8a33b79@%3Coak-issues.jackrabbit.apache.org%3E"},{"refsource":"MLIST","name":"[jackrabbit-oak-issues] 20210730 [jira] [Commented] (OAK-9520) CVE-2021-29262 in oak-solr-osgi","url":"https://lists.apache.org/thread.html/rbc680cbfd745f22d182158217428a296e8e398cde16f3f428fe4bddc@%3Coak-issues.jackrabbit.apache.org%3E"},{"refsource":"MLIST","name":"[jackrabbit-dev] 20210730 [GitHub] [jackrabbit-oak] nit0906 opened a new pull request #334: OAK-9520 | Updating solr version to handle/fix CVE-2021-29262","url":"https://lists.apache.org/thread.html/rb6db683903174eaa44ec80cc118a38574319b0d4181f36b61ee6278f@%3Cdev.jackrabbit.apache.org%3E"},{"refsource":"MLIST","name":"[jackrabbit-oak-issues] 20210730 [jira] [Updated] (OAK-9520) CVE-2021-29262 in oak-solr-osgi","url":"https://lists.apache.org/thread.html/r1e92a2eff6c47a65c4a6e95e809a9707181de76f8062403a0bea1012@%3Coak-issues.jackrabbit.apache.org%3E"},{"refsource":"MLIST","name":"[jackrabbit-oak-issues] 20210730 [jira] [Resolved] (OAK-9520) CVE-2021-29262 in oak-solr-osgi","url":"https://lists.apache.org/thread.html/r9c4ce6903218c92ef2583070e64af5a69e483821c4b3016dc41e3c6f@%3Coak-issues.jackrabbit.apache.org%3E"},{"refsource":"MLIST","name":"[jackrabbit-oak-commits] 20210730 [jackrabbit-oak] branch trunk updated: OAK-9520 | Updating solr version to handle/fix CVE-2021-29262 (#334)","url":"https://lists.apache.org/thread.html/rd85f87e559ee27e9c69795e3ad93a77621895e0328ea3df41d711d72@%3Coak-commits.jackrabbit.apache.org%3E"},{"refsource":"MLIST","name":"[jackrabbit-dev] 20210730 [GitHub] [jackrabbit-oak] nit0906 merged pull request #334: OAK-9520 | Updating solr version to handle/fix CVE-2021-29262","url":"https://lists.apache.org/thread.html/ref84e60192f4bdc3206b247f260513e8d4e71f3e200792f75386d07a@%3Cdev.jackrabbit.apache.org%3E"},{"refsource":"MLIST","name":"[jackrabbit-oak-issues] 20210730 [jira] [Commented] (OAK-9520) CVE-2021-29262 in oak-solr-osgi","url":"https://lists.apache.org/thread.html/r7151081abab92a827a607205c4260b0a3d22280b52d15bc909177608@%3Coak-issues.jackrabbit.apache.org%3E"},{"refsource":"MLIST","name":"[jackrabbit-oak-issues] 20211006 [jira] [Updated] (OAK-9520) CVE-2021-29262 in oak-solr-osgi","url":"https://lists.apache.org/thread.html/r8d35eeb9a470d2682b5bcf3be0b8942faa7e28f9ca5861c058d17fff@%3Coak-issues.jackrabbit.apache.org%3E"}]},"source":{"defect":["SOLR-15249"],"discovery":"UNKNOWN"},"work_around":[{"lang":"eng","value":"Manually set appropriate ACLs on /security.json znode."}]},"nvd":{"publishedDate":"2021-04-13 07:15:00","lastModifiedDate":"2023-11-07 03:32:00","problem_types":["CWE-522"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"NONE","availabilityImpact":"NONE","baseScore":7.5,"baseSeverity":"HIGH"},"exploitabilityScore":3.9,"impactScore":3.6},"baseMetricV2":{"cvssV2":{"version":"2.0","vectorString":"AV:N/AC:M/Au:N/C:P/I:N/A:N","accessVector":"NETWORK","accessComplexity":"MEDIUM","authentication":"NONE","confidentialityImpact":"PARTIAL","integrityImpact":"NONE","availabilityImpact":"NONE","baseScore":4.3},"severity":"MEDIUM","exploitabilityScore":8.6,"impactScore":2.9,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":false}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:apache:solr:*:*:*:*:*:*:*:*","versionEndExcluding":"8.8.2","cpe_name":[]}]}]}},"legacy_mitre":{"record":{"CveYear":"2021","CveId":"29262","Ordinal":"204457","Title":"CVE-2021-29262","CVE":"CVE-2021-29262","Year":"2021"},"notes":[{"CveYear":"2021","CveId":"29262","Ordinal":"1","NoteData":"When starting Apache Solr versions prior to 8.8.2, configured with the SaslZkACLProvider or VMParamsAllAndReadonlyDigestZkACLProvider and no existing security.json znode, if the optional read-only user is configured then Solr would not treat that node as a sensitive path and would allow it to be readable. Additionally, with any ZkACLProvider, if the security.json is already present, Solr will not automatically update the ACLs.","Type":"Description","Title":null},{"CveYear":"2021","CveId":"29262","Ordinal":"2","NoteData":"2021-04-13","Type":"Other","Title":"Published"},{"CveYear":"2021","CveId":"29262","Ordinal":"3","NoteData":"2021-10-06","Type":"Other","Title":"Modified"}]}}}