csaf_certbund - WID-SEC-W-2024-0340

WID-SEC-W-2024-0340

Vulnerability from csaf_certbund

Published

2024-02-11 23:00

Modified

2024-11-11 23:00

Summary

Apache Solr: Mehrere Schwachstellen

Notes

Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.

Produktbeschreibung

Apache Solr ist ein Suchmaschinen-Server für Unternehmen mit einer REST-ähnlichen API.

Angriff

Ein entfernter, authentisierter Angreifer kann mehrere Schwachstellen in Apache Solr ausnutzen, um Informationen offenzulegen oder beliebigen Programmcode auszuführen.

Betroffene Betriebssysteme

- Linux - UNIX - Windows

JSON

To clipboard

{
   document: {
      aggregate_severity: {
         text: "hoch",
      },
      category: "csaf_base",
      csaf_version: "2.0",
      distribution: {
         tlp: {
            label: "WHITE",
            url: "https://www.first.org/tlp/",
         },
      },
      lang: "de-DE",
      notes: [
         {
            category: "legal_disclaimer",
            text: "Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.",
         },
         {
            category: "description",
            text: "Apache Solr ist ein Suchmaschinen-Server für Unternehmen mit einer REST-ähnlichen API.",
            title: "Produktbeschreibung",
         },
         {
            category: "summary",
            text: "Ein entfernter, authentisierter Angreifer kann mehrere Schwachstellen in Apache Solr ausnutzen, um Informationen offenzulegen oder beliebigen Programmcode auszuführen.",
            title: "Angriff",
         },
         {
            category: "general",
            text: "- Linux\n- UNIX\n- Windows",
            title: "Betroffene Betriebssysteme",
         },
      ],
      publisher: {
         category: "other",
         contact_details: "csaf-provider@cert-bund.de",
         name: "Bundesamt für Sicherheit in der Informationstechnik",
         namespace: "https://www.bsi.bund.de",
      },
      references: [
         {
            category: "self",
            summary: "WID-SEC-W-2024-0340 - CSAF Version",
            url: "https://wid.cert-bund.de/.well-known/csaf/white/2024/wid-sec-w-2024-0340.json",
         },
         {
            category: "self",
            summary: "WID-SEC-2024-0340 - Portal Version",
            url: "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2024-0340",
         },
         {
            category: "external",
            summary: "Solr Security News vom 2024-02-11",
            url: "https://solr.apache.org/security.html",
         },
         {
            category: "external",
            summary: "Red Hat Bugtracker vom 2024-02-11",
            url: "https://bugzilla.redhat.com/show_bug.cgi?id=2263577",
         },
         {
            category: "external",
            summary: "Red Hat Bugtracker vom 2024-02-11",
            url: "https://bugzilla.redhat.com/show_bug.cgi?id=2263579",
         },
         {
            category: "external",
            summary: "Red Hat Bugtracker vom 2024-02-11",
            url: "https://bugzilla.redhat.com/show_bug.cgi?id=2263583",
         },
         {
            category: "external",
            summary: "Red Hat Bugtracker vom 2024-02-11",
            url: "https://bugzilla.redhat.com/show_bug.cgi?id=2263585",
         },
         {
            category: "external",
            summary: "IBM Security Bulletin 7147788 vom 2024-04-09",
            url: "https://www.ibm.com/support/pages/node/7147788",
         },
      ],
      source_lang: "en-US",
      title: "Apache Solr: Mehrere Schwachstellen",
      tracking: {
         current_release_date: "2024-11-11T23:00:00.000+00:00",
         generator: {
            date: "2024-11-12T10:06:30.870+00:00",
            engine: {
               name: "BSI-WID",
               version: "1.3.8",
            },
         },
         id: "WID-SEC-W-2024-0340",
         initial_release_date: "2024-02-11T23:00:00.000+00:00",
         revision_history: [
            {
               date: "2024-02-11T23:00:00.000+00:00",
               number: "1",
               summary: "Initiale Fassung",
            },
            {
               date: "2024-04-09T22:00:00.000+00:00",
               number: "2",
               summary: "Neue Updates von IBM aufgenommen",
            },
            {
               date: "2024-11-11T23:00:00.000+00:00",
               number: "3",
               summary: "Prüfung Produkteintragung",
            },
         ],
         status: "final",
         version: "3",
      },
   },
   product_tree: {
      branches: [
         {
            branches: [
               {
                  branches: [
                     {
                        category: "product_version_range",
                        name: "<9.3.0",
                        product: {
                           name: "Apache Solr <9.3.0",
                           product_id: "1506974",
                        },
                     },
                     {
                        category: "product_version",
                        name: "9.3.0",
                        product: {
                           name: "Apache Solr 9.3.0",
                           product_id: "1506974-fixed",
                           product_identification_helper: {
                              cpe: "cpe:/a:apache:solr:9.3.0",
                           },
                        },
                     },
                     {
                        category: "product_version_range",
                        name: "<9.4.1",
                        product: {
                           name: "Apache Solr <9.4.1",
                           product_id: "T032661",
                        },
                     },
                     {
                        category: "product_version",
                        name: "9.4.1",
                        product: {
                           name: "Apache Solr 9.4.1",
                           product_id: "T032661-fixed",
                           product_identification_helper: {
                              cpe: "cpe:/a:apache:solr:9.4.1",
                           },
                        },
                     },
                     {
                        category: "product_version_range",
                        name: "<8.11.3",
                        product: {
                           name: "Apache Solr <8.11.3",
                           product_id: "T032663",
                        },
                     },
                     {
                        category: "product_version",
                        name: "8.11.3",
                        product: {
                           name: "Apache Solr 8.11.3",
                           product_id: "T032663-fixed",
                           product_identification_helper: {
                              cpe: "cpe:/a:apache:solr:8.11.3",
                           },
                        },
                     },
                  ],
                  category: "product_name",
                  name: "Solr",
               },
            ],
            category: "vendor",
            name: "Apache",
         },
         {
            branches: [
               {
                  branches: [
                     {
                        category: "product_version",
                        name: "8.10.x",
                        product: {
                           name: "IBM Operational Decision Manager 8.10.x",
                           product_id: "T027827",
                           product_identification_helper: {
                              cpe: "cpe:/a:ibm:operational_decision_manager:8.10.x",
                           },
                        },
                     },
                     {
                        category: "product_version",
                        name: "8.11.x",
                        product: {
                           name: "IBM Operational Decision Manager 8.11.x",
                           product_id: "T027828",
                           product_identification_helper: {
                              cpe: "cpe:/a:ibm:operational_decision_manager:8.11.x",
                           },
                        },
                     },
                     {
                        category: "product_version",
                        name: "8.12.x",
                        product: {
                           name: "IBM Operational Decision Manager 8.12.x",
                           product_id: "T030120",
                           product_identification_helper: {
                              cpe: "cpe:/a:ibm:operational_decision_manager:8.12.x",
                           },
                        },
                     },
                  ],
                  category: "product_name",
                  name: "Operational Decision Manager",
               },
            ],
            category: "vendor",
            name: "IBM",
         },
      ],
   },
   vulnerabilities: [
      {
         cve: "CVE-2023-50291",
         notes: [
            {
               category: "description",
               text: "Es existiert eine Schwachstelle in Apache Solr. Diese ist darauf zurückzuführen, dass vertrauliche Informationen an dem \"/admin/info/properties\" Endpunkt nicht geschützt sind. Ein entfernter, authentisierter Angreifer kann diese Schwachstelle ausnutzen, um Informationen offenzulegen.",
            },
         ],
         product_status: {
            known_affected: [
               "T027827",
               "T032663",
               "T027828",
               "1506974",
               "T030120",
            ],
         },
         release_date: "2024-02-11T23:00:00.000+00:00",
         title: "CVE-2023-50291",
      },
      {
         cve: "CVE-2023-50292",
         notes: [
            {
               category: "description",
               text: "Es existiert eine Schwachstelle in Apache Solr. Diese ist auf einen Fehler in der Komponente \"Schema Designer\" zurückzuführen, welche \"Schemas\" ungeprüft ausführt. Ein entfernter, authentisierter Angreifer kann diese Schwachstelle ausnutzen, um beliebigen Programmcode auszuführen.",
            },
         ],
         product_status: {
            known_affected: [
               "T027827",
               "T032663",
               "T027828",
               "1506974",
               "T030120",
            ],
         },
         release_date: "2024-02-11T23:00:00.000+00:00",
         title: "CVE-2023-50292",
      },
      {
         cve: "CVE-2023-50298",
         notes: [
            {
               category: "description",
               text: "Es existiert eine Schwachstelle in Apache Solr. Diese besteht in der \"zkHost\"-Funktionalität, die zum Austausch mit anderen Solr-Clouds genutzt werden kann. Ein entfernter, authentisierter Angreifer in einer man-in-the-middle-position kann diese Schwachstelle ausnutzen, um Informationen offenzulegen.",
            },
         ],
         product_status: {
            known_affected: [
               "T027827",
               "T032663",
               "T027828",
               "1506974",
               "T030120",
            ],
         },
         release_date: "2024-02-11T23:00:00.000+00:00",
         title: "CVE-2023-50298",
      },
      {
         cve: "CVE-2023-50386",
         notes: [
            {
               category: "description",
               text: "Es existiert eine Schwachstelle in Apache Solr. Diese ist auf einen Fehler in der Komponente \"ConfigSets\" zurückzuführen, welche ungeprüft Java jar Dateien und Klassen per API akzeptiert und speichert. Ein entfernter, authentisierter Angreifer kann diese Schwachstelle ausnutzen, um beliebigen Programmcode auszuführen.",
            },
         ],
         product_status: {
            known_affected: [
               "T027827",
               "T032663",
               "T027828",
               "1506974",
               "T032661",
               "T030120",
            ],
         },
         release_date: "2024-02-11T23:00:00.000+00:00",
         title: "CVE-2023-50386",
      },
   ],
}

cve-2023-50291

Vulnerability from cvelistv5

Published

2024-02-09 17:29

Modified

2025-02-13 17:19

Severity ?

Summary

Insufficiently Protected Credentials vulnerability in Apache Solr. This issue affects Apache Solr: from 6.0.0 through 8.11.2, from 9.0.0 before 9.3.0. One of the two endpoints that publishes the Solr process' Java system properties, /admin/info/properties, was only setup to hide system properties that had "password" contained in the name. There are a number of sensitive system properties, such as "basicauth" and "aws.secretKey" do not contain "password", thus their values were published via the "/admin/info/properties" endpoint. This endpoint populates the list of System Properties on the home screen of the Solr Admin page, making the exposed credentials visible in the UI. This /admin/info/properties endpoint is protected under the "config-read" permission. Therefore, Solr Clouds with Authorization enabled will only be vulnerable through logged-in users that have the "config-read" permission. Users are recommended to upgrade to version 9.3.0 or 8.11.3, which fixes the issue. A single option now controls hiding Java system property for all endpoints, "-Dsolr.hiddenSysProps". By default all known sensitive properties are hidden (including "-Dbasicauth"), as well as any property with a name containing "secret" or "password". Users who cannot upgrade can also use the following Java system property to fix the issue: '-Dsolr.redaction.system.pattern=.*(password|secret|basicauth).*'

References

▼	URL	Tags
	https://solr.apache.org/security.html#cve-2023-50291-apache-solr-can-leak-certain-passwords-due-to-system-property-redaction-logic-inconsistencies	vendor-advisory
	http://www.openwall.com/lists/oss-security/2024/02/09/4

Impacted products

	Vendor	Product	Version
	Apache Software Foundation	Apache Solr	Version: 6.0.0 ≤ 8.11.2 Version: 9.0.0 ≤

Show details on NVD website

JSON

To clipboard

{
   containers: {
      adp: [
         {
            providerMetadata: {
               dateUpdated: "2024-08-02T22:16:46.115Z",
               orgId: "af854a3a-2127-422b-91ae-364da2661108",
               shortName: "CVE",
            },
            references: [
               {
                  tags: [
                     "vendor-advisory",
                     "x_transferred",
                  ],
                  url: "https://solr.apache.org/security.html#cve-2023-50291-apache-solr-can-leak-certain-passwords-due-to-system-property-redaction-logic-inconsistencies",
               },
               {
                  tags: [
                     "x_transferred",
                  ],
                  url: "http://www.openwall.com/lists/oss-security/2024/02/09/4",
               },
            ],
            title: "CVE Program Container",
         },
      ],
      cna: {
         affected: [
            {
               defaultStatus: "unaffected",
               product: "Apache Solr",
               vendor: "Apache Software Foundation",
               versions: [
                  {
                     lessThanOrEqual: "8.11.2",
                     status: "affected",
                     version: "6.0.0",
                     versionType: "semver",
                  },
                  {
                     lessThan: "9.3.0",
                     status: "affected",
                     version: "9.0.0",
                     versionType: "semver",
                  },
               ],
            },
         ],
         credits: [
            {
               lang: "en",
               type: "reporter",
               value: "Michael Taggart",
            },
         ],
         descriptions: [
            {
               lang: "en",
               supportingMedia: [
                  {
                     base64: false,
                     type: "text/html",
                     value: "Insufficiently Protected Credentials vulnerability in Apache Solr.<p></p><p>This issue affects Apache Solr: from 6.0.0 through 8.11.2, from 9.0.0 before 9.3.0.<span style=\"background-color: rgb(255, 255, 255);\"><br></span>One of the two endpoints that publishes the Solr process' Java system properties, /admin/info/properties, was only setup to hide system properties that had \"password\" contained in the name.<br>There are a number of sensitive system properties, such as \"basicauth\" and \"aws.secretKey\" do not contain \"password\", thus their values were published via the \"/admin/info/properties\" endpoint.<br><span style=\"background-color: rgb(255, 255, 255);\">This endpoint populates the list of System Properties on the home screen of the Solr Admin page, making the exposed credentials visible in the UI.</span><br></p>This /admin/info/properties endpoint is protected under the \"config-read\" permission.<br>Therefore, Solr Clouds with Authorization enabled will only be vulnerable through logged-in users that have the \"config-read\" permission.<br><p>Users are recommended to upgrade to version 9.3.0 or 8.11.3, which fixes the issue.<br>A single option now controls hiding Java system property for all endpoints, \"-Dsolr.hiddenSysProps\".<br>By default all known sensitive properties are hidden (including \"-Dbasicauth\"), as well as any property with a name containing \"secret\" or \"password\".</p><p>Users who cannot upgrade can also use the following Java system property to fix the issue:<br>&nbsp; '-D<span style=\"background-color: rgb(255, 255, 255);\">solr.redaction.system.pattern</span>=.*(password|secret|basicauth).*'</p><p></p>",
                  },
               ],
               value: "Insufficiently Protected Credentials vulnerability in Apache Solr.\n\nThis issue affects Apache Solr: from 6.0.0 through 8.11.2, from 9.0.0 before 9.3.0.\nOne of the two endpoints that publishes the Solr process' Java system properties, /admin/info/properties, was only setup to hide system properties that had \"password\" contained in the name.\nThere are a number of sensitive system properties, such as \"basicauth\" and \"aws.secretKey\" do not contain \"password\", thus their values were published via the \"/admin/info/properties\" endpoint.\nThis endpoint populates the list of System Properties on the home screen of the Solr Admin page, making the exposed credentials visible in the UI.\n\nThis /admin/info/properties endpoint is protected under the \"config-read\" permission.\nTherefore, Solr Clouds with Authorization enabled will only be vulnerable through logged-in users that have the \"config-read\" permission.\nUsers are recommended to upgrade to version 9.3.0 or 8.11.3, which fixes the issue.\nA single option now controls hiding Java system property for all endpoints, \"-Dsolr.hiddenSysProps\".\nBy default all known sensitive properties are hidden (including \"-Dbasicauth\"), as well as any property with a name containing \"secret\" or \"password\".\n\nUsers who cannot upgrade can also use the following Java system property to fix the issue:\n  '-Dsolr.redaction.system.pattern=.*(password|secret|basicauth).*'",
            },
         ],
         metrics: [
            {
               other: {
                  content: {
                     text: "moderate",
                  },
                  type: "Textual description of severity",
               },
            },
         ],
         problemTypes: [
            {
               descriptions: [
                  {
                     cweId: "CWE-522",
                     description: "CWE-522 Insufficiently Protected Credentials",
                     lang: "en",
                     type: "CWE",
                  },
               ],
            },
         ],
         providerMetadata: {
            dateUpdated: "2024-02-09T17:30:06.569Z",
            orgId: "f0158376-9dc2-43b6-827c-5f631a4d8d09",
            shortName: "apache",
         },
         references: [
            {
               tags: [
                  "vendor-advisory",
               ],
               url: "https://solr.apache.org/security.html#cve-2023-50291-apache-solr-can-leak-certain-passwords-due-to-system-property-redaction-logic-inconsistencies",
            },
            {
               url: "http://www.openwall.com/lists/oss-security/2024/02/09/4",
            },
         ],
         source: {
            defect: [
               "SOLR-16809",
            ],
            discovery: "EXTERNAL",
         },
         title: "Apache Solr: System Property redaction logic inconsistency can lead to leaked passwords",
         x_generator: {
            engine: "Vulnogram 0.1.0-dev",
         },
      },
   },
   cveMetadata: {
      assignerOrgId: "f0158376-9dc2-43b6-827c-5f631a4d8d09",
      assignerShortName: "apache",
      cveId: "CVE-2023-50291",
      datePublished: "2024-02-09T17:29:32.882Z",
      dateReserved: "2023-12-06T17:56:16.223Z",
      dateUpdated: "2025-02-13T17:19:03.580Z",
      state: "PUBLISHED",
   },
   dataType: "CVE_RECORD",
   dataVersion: "5.1",
}

cve-2023-50298

Vulnerability from cvelistv5

Published

2024-02-09 17:29

Modified

2025-02-13 17:19

Severity ?

Summary

Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache Solr.This issue affects Apache Solr: from 6.0.0 through 8.11.2, from 9.0.0 before 9.4.1. Solr Streaming Expressions allows users to extract data from other Solr Clouds, using a "zkHost" parameter. When original SolrCloud is setup to use ZooKeeper credentials and ACLs, they will be sent to whatever "zkHost" the user provides. An attacker could setup a server to mock ZooKeeper, that accepts ZooKeeper requests with credentials and ACLs and extracts the sensitive information, then send a streaming expression using the mock server's address in "zkHost". Streaming Expressions are exposed via the "/streaming" handler, with "read" permissions. Users are recommended to upgrade to version 8.11.3 or 9.4.1, which fix the issue. From these versions on, only zkHost values that have the same server address (regardless of chroot), will use the given ZooKeeper credentials and ACLs when connecting.

References

▼	URL	Tags
	https://solr.apache.org/security.html#cve-2023-50298-apache-solr-can-expose-zookeeper-credentials-via-streaming-expressions	vendor-advisory
	http://www.openwall.com/lists/oss-security/2024/02/09/3
	http://www.openwall.com/lists/oss-security/2024/02/09/2

Impacted products

	Vendor	Product	Version
	Apache Software Foundation	Apache Solr	Version: 6.0.0 ≤ 8.11.2 Version: 9.0.0 ≤

Show details on NVD website

JSON

To clipboard

{
   containers: {
      adp: [
         {
            providerMetadata: {
               dateUpdated: "2024-08-02T22:16:46.392Z",
               orgId: "af854a3a-2127-422b-91ae-364da2661108",
               shortName: "CVE",
            },
            references: [
               {
                  tags: [
                     "vendor-advisory",
                     "x_transferred",
                  ],
                  url: "https://solr.apache.org/security.html#cve-2023-50298-apache-solr-can-expose-zookeeper-credentials-via-streaming-expressions",
               },
               {
                  tags: [
                     "x_transferred",
                  ],
                  url: "http://www.openwall.com/lists/oss-security/2024/02/09/3",
               },
               {
                  tags: [
                     "x_transferred",
                  ],
                  url: "http://www.openwall.com/lists/oss-security/2024/02/09/2",
               },
            ],
            title: "CVE Program Container",
         },
         {
            affected: [
               {
                  cpes: [
                     "cpe:2.3:a:apache:solr:*:*:*:*:*:*:*:*",
                  ],
                  defaultStatus: "unknown",
                  product: "solr",
                  vendor: "apache",
                  versions: [
                     {
                        lessThanOrEqual: "8.11.2",
                        status: "affected",
                        version: "6.0.0",
                        versionType: "semver",
                     },
                     {
                        lessThan: "9.4.1",
                        status: "affected",
                        version: "9.0.0",
                        versionType: "semver",
                     },
                  ],
               },
            ],
            metrics: [
               {
                  cvssV3_1: {
                     attackComplexity: "LOW",
                     attackVector: "NETWORK",
                     availabilityImpact: "NONE",
                     baseScore: 7.5,
                     baseSeverity: "HIGH",
                     confidentialityImpact: "HIGH",
                     integrityImpact: "NONE",
                     privilegesRequired: "NONE",
                     scope: "UNCHANGED",
                     userInteraction: "NONE",
                     vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
                     version: "3.1",
                  },
               },
               {
                  other: {
                     content: {
                        id: "CVE-2023-50298",
                        options: [
                           {
                              Exploitation: "none",
                           },
                           {
                              Automatable: "yes",
                           },
                           {
                              "Technical Impact": "partial",
                           },
                        ],
                        role: "CISA Coordinator",
                        timestamp: "2024-08-19T16:14:53.466587Z",
                        version: "2.0.3",
                     },
                     type: "ssvc",
                  },
               },
            ],
            problemTypes: [
               {
                  descriptions: [
                     {
                        cweId: "CWE-922",
                        description: "CWE-922 Insecure Storage of Sensitive Information",
                        lang: "en",
                        type: "CWE",
                     },
                  ],
               },
            ],
            providerMetadata: {
               dateUpdated: "2024-08-19T16:18:30.567Z",
               orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0",
               shortName: "CISA-ADP",
            },
            title: "CISA ADP Vulnrichment",
         },
      ],
      cna: {
         affected: [
            {
               defaultStatus: "unaffected",
               product: "Apache Solr",
               vendor: "Apache Software Foundation",
               versions: [
                  {
                     lessThanOrEqual: "8.11.2",
                     status: "affected",
                     version: "6.0.0",
                     versionType: "semver",
                  },
                  {
                     lessThan: "9.4.1",
                     status: "affected",
                     version: "9.0.0",
                     versionType: "semver",
                  },
               ],
            },
         ],
         credits: [
            {
               lang: "en",
               type: "reporter",
               value: "Qing Xu",
            },
         ],
         descriptions: [
            {
               lang: "en",
               supportingMedia: [
                  {
                     base64: false,
                     type: "text/html",
                     value: "Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache Solr.<p>This issue affects Apache Solr: from 6.0.0 through 8.11.2, from 9.0.0 before 9.4.1.</p>Solr Streaming Expressions allows users to extract data from other Solr Clouds, using a \"zkHost\" parameter.<br>When original SolrCloud is setup to use ZooKeeper credentials and ACLs, they will be sent to whatever \"zkHost\" the user provides.<br>An attacker could setup a server to mock ZooKeeper, that accepts ZooKeeper requests with credentials and ACLs and extracts the sensitive information,<br>then send a streaming expression using the mock server's address in \"zkHost\".<br><p>Streaming Expressions are exposed via the \"/streaming\" handler, with \"read\" permissions.</p><p>Users are recommended to upgrade to version 8.11.3 or 9.4.1, which fix the issue.<br>From these versions on, only zkHost values that have the same server address (regardless of chroot), will use the given ZooKeeper credentials and ACLs when connecting.</p>",
                  },
               ],
               value: "Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache Solr.This issue affects Apache Solr: from 6.0.0 through 8.11.2, from 9.0.0 before 9.4.1.\n\nSolr Streaming Expressions allows users to extract data from other Solr Clouds, using a \"zkHost\" parameter.\nWhen original SolrCloud is setup to use ZooKeeper credentials and ACLs, they will be sent to whatever \"zkHost\" the user provides.\nAn attacker could setup a server to mock ZooKeeper, that accepts ZooKeeper requests with credentials and ACLs and extracts the sensitive information,\nthen send a streaming expression using the mock server's address in \"zkHost\".\nStreaming Expressions are exposed via the \"/streaming\" handler, with \"read\" permissions.\n\nUsers are recommended to upgrade to version 8.11.3 or 9.4.1, which fix the issue.\nFrom these versions on, only zkHost values that have the same server address (regardless of chroot), will use the given ZooKeeper credentials and ACLs when connecting.",
            },
         ],
         metrics: [
            {
               other: {
                  content: {
                     text: "low",
                  },
                  type: "Textual description of severity",
               },
            },
         ],
         problemTypes: [
            {
               descriptions: [
                  {
                     cweId: "CWE-200",
                     description: "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor",
                     lang: "en",
                     type: "CWE",
                  },
               ],
            },
         ],
         providerMetadata: {
            dateUpdated: "2024-02-09T17:30:09.309Z",
            orgId: "f0158376-9dc2-43b6-827c-5f631a4d8d09",
            shortName: "apache",
         },
         references: [
            {
               tags: [
                  "vendor-advisory",
               ],
               url: "https://solr.apache.org/security.html#cve-2023-50298-apache-solr-can-expose-zookeeper-credentials-via-streaming-expressions",
            },
            {
               url: "http://www.openwall.com/lists/oss-security/2024/02/09/3",
            },
            {
               url: "http://www.openwall.com/lists/oss-security/2024/02/09/2",
            },
         ],
         source: {
            defect: [
               "SOLR-17098",
            ],
            discovery: "EXTERNAL",
         },
         title: "Apache Solr: Solr can expose ZooKeeper credentials via Streaming Expressions",
         x_generator: {
            engine: "Vulnogram 0.1.0-dev",
         },
      },
   },
   cveMetadata: {
      assignerOrgId: "f0158376-9dc2-43b6-827c-5f631a4d8d09",
      assignerShortName: "apache",
      cveId: "CVE-2023-50298",
      datePublished: "2024-02-09T17:29:07.889Z",
      dateReserved: "2023-12-06T19:21:51.101Z",
      dateUpdated: "2025-02-13T17:19:05.273Z",
      state: "PUBLISHED",
   },
   dataType: "CVE_RECORD",
   dataVersion: "5.1",
}

cve-2023-50292

Vulnerability from cvelistv5

Published

2024-02-09 17:29

Modified

2025-02-13 17:19

Severity ?

Summary

Incorrect Permission Assignment for Critical Resource, Improper Control of Dynamically-Managed Code Resources vulnerability in Apache Solr. This issue affects Apache Solr: from 8.10.0 through 8.11.2, from 9.0.0 before 9.3.0. The Schema Designer was introduced to allow users to more easily configure and test new Schemas and configSets. However, when the feature was created, the "trust" (authentication) of these configSets was not considered. External library loading is only available to configSets that are "trusted" (created by authenticated users), thus non-authenticated users are unable to perform Remote Code Execution. Since the Schema Designer loaded configSets without taking their "trust" into account, configSets that were created by unauthenticated users were allowed to load external libraries when used in the Schema Designer. Users are recommended to upgrade to version 9.3.0, which fixes the issue.

References

▼	URL	Tags
	https://solr.apache.org/security.html#cve-2023-50298-apache-solr-can-expose-zookeeper-credentials-via-streaming-expressions	vendor-advisory
	http://www.openwall.com/lists/oss-security/2024/02/09/3

Impacted products

	Vendor	Product	Version
	Apache Software Foundation	Apache Solr	Version: 8.10.0 ≤ 8.11.2 Version: 9.0.0 ≤

Show details on NVD website

JSON

To clipboard

{
   containers: {
      adp: [
         {
            providerMetadata: {
               dateUpdated: "2024-08-02T22:16:46.258Z",
               orgId: "af854a3a-2127-422b-91ae-364da2661108",
               shortName: "CVE",
            },
            references: [
               {
                  tags: [
                     "vendor-advisory",
                     "x_transferred",
                  ],
                  url: "https://solr.apache.org/security.html#cve-2023-50298-apache-solr-can-expose-zookeeper-credentials-via-streaming-expressions",
               },
               {
                  tags: [
                     "x_transferred",
                  ],
                  url: "http://www.openwall.com/lists/oss-security/2024/02/09/3",
               },
            ],
            title: "CVE Program Container",
         },
      ],
      cna: {
         affected: [
            {
               defaultStatus: "unaffected",
               product: "Apache Solr",
               vendor: "Apache Software Foundation",
               versions: [
                  {
                     lessThanOrEqual: "8.11.2",
                     status: "affected",
                     version: "8.10.0",
                     versionType: "semver",
                  },
                  {
                     lessThan: "9.3.0",
                     status: "affected",
                     version: "9.0.0",
                     versionType: "semver",
                  },
               ],
            },
         ],
         credits: [
            {
               lang: "en",
               type: "reporter",
               value: "Skay",
            },
         ],
         descriptions: [
            {
               lang: "en",
               supportingMedia: [
                  {
                     base64: false,
                     type: "text/html",
                     value: "Incorrect Permission Assignment for Critical Resource, Improper Control of Dynamically-Managed Code Resources vulnerability in Apache Solr.<p></p><p>This issue affects Apache Solr: from 8.10.0 through 8.11.2, from 9.0.0 before 9.3.0.<br><br>The Schema Designer was introduced to allow users to more easily configure and test new Schemas and configSets.<br>However, when the feature was created, the \"trust\" (authentication) of these configSets was not considered.<br>External library loading is only available to configSets that are \"trusted\" (created by authenticated users), thus non-authenticated users are unable to perform Remote Code Execution.<br>Since the Schema Designer loaded configSets without taking their \"trust\" into account, configSets that were created by unauthenticated users were allowed to load external libraries when used in the Schema Designer.<br></p><p>Users are recommended to upgrade to version 9.3.0, which fixes the issue.</p><p></p>",
                  },
               ],
               value: "Incorrect Permission Assignment for Critical Resource, Improper Control of Dynamically-Managed Code Resources vulnerability in Apache Solr.\n\nThis issue affects Apache Solr: from 8.10.0 through 8.11.2, from 9.0.0 before 9.3.0.\n\nThe Schema Designer was introduced to allow users to more easily configure and test new Schemas and configSets.\nHowever, when the feature was created, the \"trust\" (authentication) of these configSets was not considered.\nExternal library loading is only available to configSets that are \"trusted\" (created by authenticated users), thus non-authenticated users are unable to perform Remote Code Execution.\nSince the Schema Designer loaded configSets without taking their \"trust\" into account, configSets that were created by unauthenticated users were allowed to load external libraries when used in the Schema Designer.\n\nUsers are recommended to upgrade to version 9.3.0, which fixes the issue.",
            },
         ],
         metrics: [
            {
               other: {
                  content: {
                     text: "critical",
                  },
                  type: "Textual description of severity",
               },
            },
         ],
         problemTypes: [
            {
               descriptions: [
                  {
                     cweId: "CWE-732",
                     description: "CWE-732 Incorrect Permission Assignment for Critical Resource",
                     lang: "en",
                     type: "CWE",
                  },
               ],
            },
         ],
         providerMetadata: {
            dateUpdated: "2024-02-09T17:30:08.123Z",
            orgId: "f0158376-9dc2-43b6-827c-5f631a4d8d09",
            shortName: "apache",
         },
         references: [
            {
               tags: [
                  "vendor-advisory",
               ],
               url: "https://solr.apache.org/security.html#cve-2023-50298-apache-solr-can-expose-zookeeper-credentials-via-streaming-expressions",
            },
            {
               url: "http://www.openwall.com/lists/oss-security/2024/02/09/3",
            },
         ],
         source: {
            defect: [
               "SOLR-16777",
            ],
            discovery: "EXTERNAL",
         },
         title: "Apache Solr: Solr Schema Designer blindly \"trusts\" all configsets, possibly leading to RCE by unauthenticated users",
         x_generator: {
            engine: "Vulnogram 0.1.0-dev",
         },
      },
   },
   cveMetadata: {
      assignerOrgId: "f0158376-9dc2-43b6-827c-5f631a4d8d09",
      assignerShortName: "apache",
      cveId: "CVE-2023-50292",
      datePublished: "2024-02-09T17:29:21.249Z",
      dateReserved: "2023-12-06T18:22:41.671Z",
      dateUpdated: "2025-02-13T17:19:04.157Z",
      state: "PUBLISHED",
   },
   dataType: "CVE_RECORD",
   dataVersion: "5.1",
}

cve-2023-50386

Vulnerability from cvelistv5

Published

2024-02-09 17:28

Modified

2025-02-13 17:19

Severity ?

Summary

Improper Control of Dynamically-Managed Code Resources, Unrestricted Upload of File with Dangerous Type, Inclusion of Functionality from Untrusted Control Sphere vulnerability in Apache Solr.This issue affects Apache Solr: from 6.0.0 through 8.11.2, from 9.0.0 before 9.4.1. In the affected versions, Solr ConfigSets accepted Java jar and class files to be uploaded through the ConfigSets API. When backing up Solr Collections, these configSet files would be saved to disk when using the LocalFileSystemRepository (the default for backups). If the backup was saved to a directory that Solr uses in its ClassPath/ClassLoaders, then the jar and class files would be available to use with any ConfigSet, trusted or untrusted. When Solr is run in a secure way (Authorization enabled), as is strongly suggested, this vulnerability is limited to extending the Backup permissions with the ability to add libraries. Users are recommended to upgrade to version 8.11.3 or 9.4.1, which fix the issue. In these versions, the following protections have been added: * Users are no longer able to upload files to a configSet that could be executed via a Java ClassLoader. * The Backup API restricts saving backups to directories that are used in the ClassLoader.

References

▼	URL	Tags
	https://solr.apache.org/security.html#cve-2023-50386-apache-solr-backuprestore-apis-allow-for-deployment-of-executables-in-malicious-configsets	vendor-advisory
	http://www.openwall.com/lists/oss-security/2024/02/09/1

Impacted products

	Vendor	Product	Version
	Apache Software Foundation	Apache Solr	Version: 6.0.0 ≤ 8.11.2 Version: 9.0.0 ≤

Show details on NVD website

JSON

To clipboard

{
   containers: {
      adp: [
         {
            affected: [
               {
                  cpes: [
                     "cpe:2.3:a:apache:solr:6.0.0:*:*:*:*:*:*:*",
                  ],
                  defaultStatus: "unknown",
                  product: "solr",
                  vendor: "apache",
                  versions: [
                     {
                        status: "affected",
                        version: "6.0.0",
                     },
                  ],
               },
            ],
            metrics: [
               {
                  other: {
                     content: {
                        id: "CVE-2023-50386",
                        options: [
                           {
                              Exploitation: "None",
                           },
                           {
                              Automatable: "No",
                           },
                           {
                              "Technical Impact": "Total",
                           },
                        ],
                        role: "CISA Coordinator",
                        timestamp: "2024-04-26T04:00:19.098676Z",
                        version: "2.0.3",
                     },
                     type: "ssvc",
                  },
               },
            ],
            providerMetadata: {
               dateUpdated: "2024-06-04T17:17:47.000Z",
               orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0",
               shortName: "CISA-ADP",
            },
            title: "CISA ADP Vulnrichment",
         },
         {
            providerMetadata: {
               dateUpdated: "2024-08-02T22:16:46.302Z",
               orgId: "af854a3a-2127-422b-91ae-364da2661108",
               shortName: "CVE",
            },
            references: [
               {
                  tags: [
                     "vendor-advisory",
                     "x_transferred",
                  ],
                  url: "https://solr.apache.org/security.html#cve-2023-50386-apache-solr-backuprestore-apis-allow-for-deployment-of-executables-in-malicious-configsets",
               },
               {
                  tags: [
                     "x_transferred",
                  ],
                  url: "http://www.openwall.com/lists/oss-security/2024/02/09/1",
               },
            ],
            title: "CVE Program Container",
         },
      ],
      cna: {
         affected: [
            {
               defaultStatus: "unaffected",
               product: "Apache Solr",
               vendor: "Apache Software Foundation",
               versions: [
                  {
                     lessThanOrEqual: "8.11.2",
                     status: "affected",
                     version: "6.0.0",
                     versionType: "semver",
                  },
                  {
                     lessThan: "9.4.1",
                     status: "affected",
                     version: "9.0.0",
                     versionType: "semver",
                  },
               ],
            },
         ],
         credits: [
            {
               lang: "en",
               type: "reporter",
               value: "L3yx",
            },
         ],
         descriptions: [
            {
               lang: "en",
               supportingMedia: [
                  {
                     base64: false,
                     type: "text/html",
                     value: "Improper Control of Dynamically-Managed Code Resources, Unrestricted Upload of File with Dangerous Type, Inclusion of Functionality from Untrusted Control Sphere vulnerability in Apache Solr.<p>This issue affects Apache Solr: from 6.0.0 through 8.11.2, from 9.0.0 before 9.4.1.</p>In the affected versions, Solr ConfigSets accepted Java jar and class files to be uploaded through the ConfigSets API.<br>When backing up Solr Collections, these configSet files would be saved to disk when using the LocalFileSystemRepository (the default for backups).<br>If the backup was saved to a directory that Solr uses in its ClassPath/ClassLoaders, then the jar and class files would be available to use with any ConfigSet, trusted or untrusted.<br><br>When Solr is run in a secure way (Authorization enabled), as is strongly suggested, this vulnerability is limited to extending the Backup permissions with the ability to add libraries.<br><p>Users are recommended to upgrade to version 8.11.3 or 9.4.1, which fix the issue.<br>In these versions, the following protections have been added:</p><ul><li>Users are no longer able to upload files to a configSet that could be executed via a Java ClassLoader.</li><li>The Backup API restricts saving backups to directories that are used in the ClassLoader.</li></ul>",
                  },
               ],
               value: "Improper Control of Dynamically-Managed Code Resources, Unrestricted Upload of File with Dangerous Type, Inclusion of Functionality from Untrusted Control Sphere vulnerability in Apache Solr.This issue affects Apache Solr: from 6.0.0 through 8.11.2, from 9.0.0 before 9.4.1.\n\nIn the affected versions, Solr ConfigSets accepted Java jar and class files to be uploaded through the ConfigSets API.\nWhen backing up Solr Collections, these configSet files would be saved to disk when using the LocalFileSystemRepository (the default for backups).\nIf the backup was saved to a directory that Solr uses in its ClassPath/ClassLoaders, then the jar and class files would be available to use with any ConfigSet, trusted or untrusted.\n\nWhen Solr is run in a secure way (Authorization enabled), as is strongly suggested, this vulnerability is limited to extending the Backup permissions with the ability to add libraries.\nUsers are recommended to upgrade to version 8.11.3 or 9.4.1, which fix the issue.\nIn these versions, the following protections have been added:\n\n  *  Users are no longer able to upload files to a configSet that could be executed via a Java ClassLoader.\n  *  The Backup API restricts saving backups to directories that are used in the ClassLoader.",
            },
         ],
         metrics: [
            {
               other: {
                  content: {
                     text: "moderate",
                  },
                  type: "Textual description of severity",
               },
            },
         ],
         problemTypes: [
            {
               descriptions: [
                  {
                     cweId: "CWE-434",
                     description: "CWE-434 Unrestricted Upload of File with Dangerous Type",
                     lang: "en",
                     type: "CWE",
                  },
               ],
            },
            {
               descriptions: [
                  {
                     cweId: "CWE-913",
                     description: "CWE-913 Improper Control of Dynamically-Managed Code Resources",
                     lang: "en",
                     type: "CWE",
                  },
               ],
            },
         ],
         providerMetadata: {
            dateUpdated: "2024-02-09T17:30:10.403Z",
            orgId: "f0158376-9dc2-43b6-827c-5f631a4d8d09",
            shortName: "apache",
         },
         references: [
            {
               tags: [
                  "vendor-advisory",
               ],
               url: "https://solr.apache.org/security.html#cve-2023-50386-apache-solr-backuprestore-apis-allow-for-deployment-of-executables-in-malicious-configsets",
            },
            {
               url: "http://www.openwall.com/lists/oss-security/2024/02/09/1",
            },
         ],
         source: {
            defect: [
               "SOLR-16949",
            ],
            discovery: "EXTERNAL",
         },
         title: "Apache Solr: Backup/Restore APIs allow for deployment of executables in malicious ConfigSets",
         x_generator: {
            engine: "Vulnogram 0.1.0-dev",
         },
      },
   },
   cveMetadata: {
      assignerOrgId: "f0158376-9dc2-43b6-827c-5f631a4d8d09",
      assignerShortName: "apache",
      cveId: "CVE-2023-50386",
      datePublished: "2024-02-09T17:28:51.290Z",
      dateReserved: "2023-12-07T17:14:22.179Z",
      dateUpdated: "2025-02-13T17:19:26.116Z",
      state: "PUBLISHED",
   },
   dataType: "CVE_RECORD",
   dataVersion: "5.1",
}

All sightings related to this event Export sightings related to this event

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted

WID-SEC-W-2024-0340

Vulnerability from csaf_certbund

cve-2023-50291

Vulnerability from cvelistv5

cve-2023-50298

Vulnerability from cvelistv5

cve-2023-50292

Vulnerability from cvelistv5

cve-2023-50386

Vulnerability from cvelistv5

Tags

Sightings

Nomenclature