CVE-2021-29262

Name of the Vulnerable Software and Affected Versions: Apache Solr versions prior to 8.8.2

Description: The issue arises when Apache Solr is started with specific configurations, such as the SaslZkACLProvider or VMParamsAllAndReadonlyDigestZkACLProvider, and there is no existing security.json znode. If an optional read-only user is configured, Solr fails to treat the node as a sensitive path, allowing it to be readable. Furthermore, with any ZkACLProvider, if the security.json is already present, Solr does not automatically update the ACLs.

Recommendations: For versions prior to 8.8.2, update to version 8.8.2 or later to resolve the issue. As a temporary workaround, consider manually configuring the ACLs for the security.json znode to ensure proper access control. Additionally, restrict access to sensitive paths until the update is applied.