To address the security issue https://nvd.nist.gov/vuln/detail/CVE-2020-13941, it is necessary to configure the location parameter of the replication handler to be invariant.
This configuration is already provided in solrconfig.xml.
<requestHandlername="/replication"class="org.alfresco.solr.handler.AlfrescoReplicationHandler" >
<!--
This invariant is needed to prevent the usage of location parameter in the replication handler APIs.
There is no validation for location parameter. This results in a vulnerability described in https://nvd.nist.gov/vuln/detail/CVE-2020-13941
-->
<lst name="invariants">
<str name="location">${solr.backup.dir:.}</str>
</lst>
</requestHandler>
To specify the backup location you must configure a parameter called solr.backup.dir in the solrcore.properties file. The parameter determines the root backup directory and one must be created for each core, in advance of when you start Solr.
For example, if you have one core then the parameter might be set to /var/data/solr/backup and you must create that directory before starting Solr. If you have two cores, called alfresco and archive, then the parameter might be set to /var/data/solr/backup/alfresco, /var/data/solr/backup/archive and you must create those directories before starting Solr.