@cR0w paging equifax

@Viss @cR0w
That would be "hilarious" if Equifax got popped by the same unpatched box just a different vuln.

@FritzAdalis @cR0w id fully expect it to be the same box, and just 'the new struts bug, which they will have failed to patch, AGAIN, because there are no consequences'

@Viss @cR0w
Same intern gets fired, too.

@cR0w Glad they finally got rid of all those ../ exploits.

#DirectoryTraversalMemes

Apache incubator projects have always been gold mines, but Solr stands out based on the traffic it generates on Full-Disclosure...

@cR0w @screaminggoat
Is that the right cve? It looks like a different product.

@cR0w I agree with @FritzAdalis, it looks like cvefeed.io dun goofed and wrote CVE-2024-21574 as Apache Solr when the vendor is ltdrdata and product ComfyUI-Manager.

I don't go off assumptions so I will rely on the public record of ComfyUI-Manager (which I've never heard of).

@cR0w Yeah I wonder if anyone tracks the frequency and impact of its bugs when doing supply chain analysis...

@screaminggoat @cR0w @FritzAdalis Apache Solr is mostly Java based, this product seems a web app client/server built in python, just the vendor is mistagged imo

@cR0w @ciaranmak @screaminggoat
It's all good. I just wanted to be sure before I emailed my boss and product teams. Besides, I rely on you, and I suspect you're just a side project by a single researcher.

@cR0w @ciaranmak @screaminggoat
$dayJob? So you're vendor-supported!

@cR0w @FritzAdalis @ciaranmak don't rely on me either, a sceaming goat is not a credible source.

@cR0w @FritzAdalis @screaminggoat My personal side project of 5-6 years of RSS/CVE/Feed collection contributed to this startup product *plug*

https://recon.cytidel.com

@cR0w @screaminggoat Does anyone actually USE Apache Solr? I don't think CNET even uses it any more.

@cR0w @ciaranmak @screaminggoat
Yeah, needs an invite code.

@cR0w @screaminggoat Oh yeah I remember speccing a project for AEP, our power utility, and was like "you are using WHAT?"

@cR0w @screaminggoat That's not specific to utilities. Many companies have a crapload of open source stuff installed, and no one on staff who even has the slightest idea of how to run it. Open source software is not free like beer. It's free like puppies.

@cR0w @Sempf @screaminggoat TIL IBM QRadar is built with Solr (at least it used to):
- https://www.ibm.com/support/pages/security-bulletin-apache-solr-used-ibm-qradar-siem-and-incident-forensics-vulnerable-denial-service-cve-2014-0050
- https://ssd-disclosure.com/ssd-advisory-qradar-remote-command-execution/

@buherator @cR0w @screaminggoat Woah holy cow! I had no idea!