CVE-2021-27905

Name of the Vulnerable Software and Affected Versions: Apache Solr versions prior to 8.8.2

Description: The ReplicationHandler in Apache Solr, normally registered at "/replication" under a Solr core, has a masterUrl (also leaderUrl alias) parameter used to designate another ReplicationHandler on another Solr core to replicate index data into the local core. To prevent a Server-Side Request Forgery (SSRF) issue, Solr should check these parameters against a similar configuration it uses for the shards parameter. Prior to the fix, this check was not performed.

Recommendations: For Apache Solr versions prior to 8.8.2, update to version 8.8.2 or later to resolve the issue. As a temporary workaround, consider restricting access to the /replication endpoint to minimize the risk of exploitation. Additionally, restrict the use of the masterUrl and leaderUrl parameters until the issue is resolved.