Multiple Solr endpoints have been found to accept absolute paths. In Windows systems these absolute path can be forced to make the OS connect to an attacker-controlled SMB server.
This behaviour may result in attacks such as:
- Capturing the NTLM hash and cracking it locally
- SMB Relay attack that can be used to authenticate to other SMB servers
Note: Although not in the scope of the CVE, post-authenticated this behavior can result in Remote Code Execution via Malicious Solr Config files:
- In Windows environments by serving the config remotely via SMB
- In Windows and Linux systems by writing the Solr Config in a location that is writable by anyone (e.g. C:\Users\Pubic, /tmp/, etc.) and pointing the location of that core there via an absolute path
The vendor's disclosure and fix for this vulnerability can be found here.
The MITRE disclosure for this vulnerability can be found here.
More details and the exploitation process can be found in this PDF.