CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2025-24814 – Apache Solr: Core-creation with "trusted" configset can use arbitrary untrusted files
https://notcve.org/view.php?id=CVE-2025-24814
27 Jan 2025 — Core creation allows users to replace "trusted" configset files with arbitrary configuration Solr instances that (1) use the "FileSystemConfigSetService" component (the default in "standalone" or "user-managed" mode), and (2) are running without authentication and authorization are vulnerable to a sort of privilege escalation wherein individual "trusted" configset files can be ignored in favor of potentially-untrusted replacements available elsewhere on the filesystem. These replacement config files are tre... • https://lists.apache.org/thread/gl291pn8x9f9n52ys5l0pc0b6qtf0qw1 • CWE-250: Execution with Unnecessary Privileges •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-52012 – Apache Solr: Configset upload on Windows allows arbitrary path write-access
https://notcve.org/view.php?id=CVE-2024-52012
27 Jan 2025 — Relative Path Traversal vulnerability in Apache Solr. Solr instances running on Windows are vulnerable to arbitrary filepath write-access, due to a lack of input-sanitation in the "configset upload" API. Commonly known as a "zipslip", maliciously constructed ZIP files can use relative filepaths to write data to unanticipated parts of the filesystem. This issue affects Apache Solr: from 6.6 through 9.7.0. Users are recommended to upgrade to version 9.8.0, which fixes the issue. • https://lists.apache.org/thread/yp39pgbv4vf1746pf5yblz84lv30vfxd • CWE-23: Relative Path Traversal •
CVSS: 8.5EPSS: 0%CPEs: 2EXPL: 0CVE-2024-45217 – Apache Solr: ConfigSets created during a backup restore command are trusted implicitly
https://notcve.org/view.php?id=CVE-2024-45217
16 Oct 2024 — Insecure Default Initialization of Resource vulnerability in Apache Solr. New ConfigSets that are created via a Restore command, which copy a configSet from the backup and give it a new name, are created without setting the "trusted" metadata. ConfigSets that do not contain the flag are trusted implicitly if the metadata is missing, therefore this leads to "trusted" ConfigSets that may not have been created with an Authenticated request. "trusted" ConfigSets are able to load custom code into classloaders, t... • https://solr.apache.org/security.html#cve-2024-45217-apache-solr-configsets-created-during-a-backup-restore-command-are-trusted-implicitly • CWE-1188: Initialization of a Resource with an Insecure Default •
CVSS: 9.8EPSS: 92%CPEs: 2EXPL: 2CVE-2024-45216 – Apache Solr: Authentication bypass possible using a fake URL Path ending
https://notcve.org/view.php?id=CVE-2024-45216
16 Oct 2024 — Improper Authentication vulnerability in Apache Solr. Solr instances using the PKIAuthenticationPlugin, which is enabled by default when Solr Authentication is used, are vulnerable to Authentication bypass. A fake ending at the end of any Solr API URL path, will allow requests to skip Authentication while maintaining the API contract with the original URL Path. This fake ending looks like an unprotected API path, however it is stripped off internally after authentication but before API routing. This issue a... • https://github.com/congdong007/CVE-2024-45216-Poc • CWE-287: Improper Authentication CWE-863: Incorrect Authorization •
CVSS: 6.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-31391 – Apache Solr Operator: Solr-Operator liveness and readiness probes may leak basic auth credentials
https://notcve.org/view.php?id=CVE-2024-31391
12 Apr 2024 — Insertion of Sensitive Information into Log File vulnerability in the Apache Solr Operator. This issue affects all versions of the Apache Solr Operator from 0.3.0 through 0.8.0. When asked to bootstrap Solr security, the operator will enable basic authentication and create several accounts for accessing Solr: including the "solr" and "admin" accounts for use by end-users, and a "k8s-oper" account which the operator uses for its own requests to Solr. One common source of these operator requests is healthchec... • http://www.openwall.com/lists/oss-security/2024/04/12/7 • CWE-532: Insertion of Sensitive Information into Log File •
CVSS: 7.8EPSS: 0%CPEs: 2EXPL: 0CVE-2023-50291 – Apache Solr: System Property redaction logic inconsistency can lead to leaked passwords
https://notcve.org/view.php?id=CVE-2023-50291
09 Feb 2024 — Insufficiently Protected Credentials vulnerability in Apache Solr. This issue affects Apache Solr: from 6.0.0 through 8.11.2, from 9.0.0 before 9.3.0. One of the two endpoints that publishes the Solr process' Java system properties, /admin/info/properties, was only setup to hide system properties that had "password" contained in the name. There are a number of sensitive system properties, such as "basicauth" and "aws.secretKey" do not contain "password", thus their values were published via the "/admin/info... • http://www.openwall.com/lists/oss-security/2024/02/09/4 • CWE-522: Insufficiently Protected Credentials •
CVSS: 7.8EPSS: 22%CPEs: 2EXPL: 0CVE-2023-50292 – Apache Solr: Solr Schema Designer blindly "trusts" all configsets, possibly leading to RCE by unauthenticated users
https://notcve.org/view.php?id=CVE-2023-50292
09 Feb 2024 — Incorrect Permission Assignment for Critical Resource, Improper Control of Dynamically-Managed Code Resources vulnerability in Apache Solr. This issue affects Apache Solr: from 8.10.0 through 8.11.2, from 9.0.0 before 9.3.0. The Schema Designer was introduced to allow users to more easily configure and test new Schemas and configSets. However, when the feature was created, the "trust" (authentication) of these configSets was not considered. External library loading is only available to configSets that are "... • http://www.openwall.com/lists/oss-security/2024/02/09/3 • CWE-732: Incorrect Permission Assignment for Critical Resource •
CVSS: 7.8EPSS: 0%CPEs: 2EXPL: 0CVE-2023-50298 – Apache Solr: Solr can expose ZooKeeper credentials via Streaming Expressions
https://notcve.org/view.php?id=CVE-2023-50298
09 Feb 2024 — Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache Solr.This issue affects Apache Solr: from 6.0.0 through 8.11.2, from 9.0.0 before 9.4.1. Solr Streaming Expressions allows users to extract data from other Solr Clouds, using a "zkHost" parameter. When original SolrCloud is setup to use ZooKeeper credentials and ACLs, they will be sent to whatever "zkHost" the user provides. An attacker could setup a server to mock ZooKeeper, that accepts ZooKeeper requests with credentials a... • http://www.openwall.com/lists/oss-security/2024/02/09/2 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-922: Insecure Storage of Sensitive Information •
CVSS: 9.0EPSS: 88%CPEs: 2EXPL: 2CVE-2023-50386 – Apache Solr: Backup/Restore APIs allow for deployment of executables in malicious ConfigSets
https://notcve.org/view.php?id=CVE-2023-50386
09 Feb 2024 — Improper Control of Dynamically-Managed Code Resources, Unrestricted Upload of File with Dangerous Type, Inclusion of Functionality from Untrusted Control Sphere vulnerability in Apache Solr.This issue affects Apache Solr: from 6.0.0 through 8.11.2, from 9.0.0 before 9.4.1. In the affected versions, Solr ConfigSets accepted Java jar and class files to be uploaded through the ConfigSets API. When backing up Solr Collections, these configSet files would be saved to disk when using the LocalFileSystemRepositor... • https://packetstorm.news/files/id/178255 • CWE-434: Unrestricted Upload of File with Dangerous Type CWE-913: Improper Control of Dynamically-Managed Code Resources •
CVSS: 6.8EPSS: 87%CPEs: 1EXPL: 0CVE-2023-50290 – Apache Solr: Host environment variables are published via the Metrics API
https://notcve.org/view.php?id=CVE-2023-50290
15 Jan 2024 — Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache Solr. The Solr Metrics API publishes all unprotected environment variables available to each Apache Solr instance. Users are able to specify which environment variables to hide, however, the default list is designed to work for known secret Java system properties. Environment variables cannot be strictly defined in Solr, like Java system properties can be, and may be set for the entire host, unlike Java system properties whic... • https://solr.apache.org/security.html#cve-2023-50290-apache-solr-allows-read-access-to-host-environment-variables • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •