Potential CVE-2021-27905 Exploitation Attempt

 1title: Potential CVE-2021-27905 Exploitation Attempt
 2id: 0bbcd74b-0596-41a4-94a0-4e88a76ffdb3
 3status: test
 4description: Detects exploitation attempt of the CVE-2021-27905 which affects all Apache Solr versions prior to and including 8.8.1.
 5references:
 6    - https://twitter.com/Al1ex4/status/1382981479727128580
 7    - https://twitter.com/sec715/status/1373472323538362371
 8    - https://nsfocusglobal.com/apache-solr-arbitrary-file-read-and-ssrf-vulnerability-threat-alert/
 9    - https://mp.weixin.qq.com/s?__biz=Mzg3NDU2MTg0Ng==&mid=2247484117&idx=1&sn=2fdab8cbe4b873f8dd8abb35d935d186
10    - https://github.com/murataydemir/CVE-2021-27905
11author: '@gott_cyber'
12date: 2022/12/11
13modified: 2023/03/24
14tags:
15    - attack.initial_access
16    - attack.t1190
17    - cve.2021.27905
18    - detection.emerging_threats
19logsource:
20    category: webserver
21detection:
22    selection_request1:
23        cs-uri-query|contains|all:
24            - '/solr/'
25            - '/debug/dump?'
26            - 'param=ContentStream'
27        sc-status: 200
28    selection_request2:
29        cs-method: 'GET'
30        cs-uri-query|contains|all:
31            - '/solr/'
32            - 'command=fetchindex'
33            - 'masterUrl='
34        sc-status: 200
35    condition: 1 of selection_*
36falsepositives:
37    - Vulnerability Scanners
38level: medium

References

• Something went wrong, but don’t fret — let’s give it another shot.

  
  Read More

• Something went wrong, but don’t fret — let’s give it another shot.

  
  Read More

• Apache Solr Arbitrary File Read and SSRF Vulnerability Threat Alert - NSFOCUS, Inc., a global network and cyber security leader, protects enterprises and carriers from advanced cyber attacks.

  

  Vulnerability Description Recently, NSFOCUS detected that an Apache Solr arbitrary file read and server-side request forgery (SSRF) vulnerability was disclosed on the Internet. Since authentication was disabled by default when Apache Solr was installed, unauthenticated attackers could turn on requestDis patcher.requestParsers.enableRemoteStreaming via the Config API, thereby exploiting the vulnerability to read files. Currently, the proof […]

  
  Read More

• Apache Solr 任意文件读取漏洞 1Day

  

  Apache Solr 任意文件读取漏洞 1Day来啦~

  
  Read More

• GitHub - murataydemir/CVE-2021-27905: [CVE-2021-27905] Apache Solr ReplicationHandler Server Side Request Forgery (SSRF)

  

  [CVE-2021-27905] Apache Solr ReplicationHandler Server Side Request Forgery (SSRF) - murataydemir/CVE-2021-27905

  
  Read More

Related rules

• Potential CVE-2022-21587 Exploitation Attempt
• Potential CVE-2023-23752 Exploitation Attempt
• Potential CVE-2022-26809 Exploitation Attempt
• Potential Centos Web Panel Exploitation Attempt - CVE-2022-44877
• Potential Exploitation Attempt Of Undocumented WindowsServer RCE