{
  "GSD": {
    "alias": "CVE-2023-50291",
    "id": "GSD-2023-50291"
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2023-50291"
      ],
      "details": "Insufficiently Protected Credentials vulnerability in Apache Solr.\n\nThis issue affects Apache Solr: from 6.0.0 through 8.11.2, from 9.0.0 before 9.3.0.\nOne of the two endpoints that publishes the Solr process\u0027 Java system properties, /admin/info/properties, was only setup to hide system properties that had \"password\" contained in the name.\nThere are a number of sensitive system properties, such as \"basicauth\" and \"aws.secretKey\" do not contain \"password\", thus their values were published via the \"/admin/info/properties\" endpoint.\nThis endpoint populates the list of System Properties on the home screen of the Solr Admin page, making the exposed credentials visible in the UI.\n\nThis /admin/info/properties endpoint is protected under the \"config-read\" permission.\nTherefore, Solr Clouds with Authorization enabled will only be vulnerable through logged-in users that have the \"config-read\" permission.\nUsers are recommended to upgrade to version 9.3.0 or 8.11.3, which fixes the issue.\nA single option now controls hiding Java system property for all endpoints, \"-Dsolr.hiddenSysProps\".\nBy default all known sensitive properties are hidden (including \"-Dbasicauth\"), as well as any property with a name containing \"secret\" or \"password\".\n\nUsers who cannot upgrade can also use the following Java system property to fix the issue:\n\u00a0 \u0027-Dsolr.redaction.system.pattern=.*(password|secret|basicauth).*\u0027\n\n",
      "id": "GSD-2023-50291",
      "modified": "2023-12-13T01:20:31.293517Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "security@apache.org",
        "ID": "CVE-2023-50291",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "Apache Solr",
                    "version": {
                      "version_data": [
                        {
                          "version_affected": "\u003c=",
                          "version_name": "6.0.0",
                          "version_value": "8.11.2"
                        },
                        {
                          "version_affected": "\u003c",
                          "version_name": "9.0.0",
                          "version_value": "9.3.0"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "Apache Software Foundation"
            }
          ]
        }
      },
      "credits": [
        {
          "lang": "en",
          "value": "Michael Taggart"
        }
      ],
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "Insufficiently Protected Credentials vulnerability in Apache Solr.\n\nThis issue affects Apache Solr: from 6.0.0 through 8.11.2, from 9.0.0 before 9.3.0.\nOne of the two endpoints that publishes the Solr process\u0027 Java system properties, /admin/info/properties, was only setup to hide system properties that had \"password\" contained in the name.\nThere are a number of sensitive system properties, such as \"basicauth\" and \"aws.secretKey\" do not contain \"password\", thus their values were published via the \"/admin/info/properties\" endpoint.\nThis endpoint populates the list of System Properties on the home screen of the Solr Admin page, making the exposed credentials visible in the UI.\n\nThis /admin/info/properties endpoint is protected under the \"config-read\" permission.\nTherefore, Solr Clouds with Authorization enabled will only be vulnerable through logged-in users that have the \"config-read\" permission.\nUsers are recommended to upgrade to version 9.3.0 or 8.11.3, which fixes the issue.\nA single option now controls hiding Java system property for all endpoints, \"-Dsolr.hiddenSysProps\".\nBy default all known sensitive properties are hidden (including \"-Dbasicauth\"), as well as any property with a name containing \"secret\" or \"password\".\n\nUsers who cannot upgrade can also use the following Java system property to fix the issue:\n\u00a0 \u0027-Dsolr.redaction.system.pattern=.*(password|secret|basicauth).*\u0027\n\n"
          }
        ]
      },
      "generator": {
        "engine": "Vulnogram 0.1.0-dev"
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "cweId": "CWE-522",
                "lang": "eng",
                "value": "CWE-522 Insufficiently Protected Credentials"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://solr.apache.org/security.html#cve-2023-50291-apache-solr-can-leak-certain-passwords-due-to-system-property-redaction-logic-inconsistencies",
            "refsource": "MISC",
            "url": "https://solr.apache.org/security.html#cve-2023-50291-apache-solr-can-leak-certain-passwords-due-to-system-property-redaction-logic-inconsistencies"
          },
          {
            "name": "http://www.openwall.com/lists/oss-security/2024/02/09/4",
            "refsource": "MISC",
            "url": "http://www.openwall.com/lists/oss-security/2024/02/09/4"
          }
        ]
      },
      "source": {
        "defect": [
          "SOLR-16809"
        ],
        "discovery": "EXTERNAL"
      }
    },
    "nvd.nist.gov": {
      "cve": {
        "configurations": [
          {
            "nodes": [
              {
                "cpeMatch": [
                  {
                    "criteria": "cpe:2.3:a:apache:solr:*:*:*:*:*:*:*:*",
                    "matchCriteriaId": "21D17629-7025-4DB8-936C-2C074AC00515",
                    "versionEndExcluding": "8.11.3",
                    "versionStartIncluding": "6.0.0",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:a:apache:solr:*:*:*:*:*:*:*:*",
                    "matchCriteriaId": "E1EF37F2-A898-4CF3-A122-1EEA13E6DDA4",
                    "versionEndExcluding": "9.3.0",
                    "versionStartIncluding": "9.0.0",
                    "vulnerable": true
                  }
                ],
                "negate": false,
                "operator": "OR"
              }
            ]
          }
        ],
        "descriptions": [
          {
            "lang": "en",
            "value": "Insufficiently Protected Credentials vulnerability in Apache Solr.\n\nThis issue affects Apache Solr: from 6.0.0 through 8.11.2, from 9.0.0 before 9.3.0.\nOne of the two endpoints that publishes the Solr process\u0027 Java system properties, /admin/info/properties, was only setup to hide system properties that had \"password\" contained in the name.\nThere are a number of sensitive system properties, such as \"basicauth\" and \"aws.secretKey\" do not contain \"password\", thus their values were published via the \"/admin/info/properties\" endpoint.\nThis endpoint populates the list of System Properties on the home screen of the Solr Admin page, making the exposed credentials visible in the UI.\n\nThis /admin/info/properties endpoint is protected under the \"config-read\" permission.\nTherefore, Solr Clouds with Authorization enabled will only be vulnerable through logged-in users that have the \"config-read\" permission.\nUsers are recommended to upgrade to version 9.3.0 or 8.11.3, which fixes the issue.\nA single option now controls hiding Java system property for all endpoints, \"-Dsolr.hiddenSysProps\".\nBy default all known sensitive properties are hidden (including \"-Dbasicauth\"), as well as any property with a name containing \"secret\" or \"password\".\n\nUsers who cannot upgrade can also use the following Java system property to fix the issue:\n\u00a0 \u0027-Dsolr.redaction.system.pattern=.*(password|secret|basicauth).*\u0027\n\n"
          },
          {
            "lang": "es",
            "value": "Vulnerabilidad de credenciales insuficientemente protegidas en Apache Solr. Este problema afecta a Apache Solr: desde 6.0.0 hasta 8.11.2, desde 9.0.0 antes de 9.3.0. Uno de los dos endpoints que publica las propiedades del sistema Java del proceso Solr, /admin/info/properties, solo se configur\u00f3 para ocultar las propiedades del sistema que ten\u00edan \"password\" en el nombre. Hay una serie de propiedades confidenciales del sistema, como \"basicauth\" y \"aws.secretKey\" que no contienen \"password\", por lo que sus valores se publicaron a trav\u00e9s del endpoint \"/admin/info/properties\". Este endpoint completa la lista de System Properties en la pantalla de inicio de la p\u00e1gina de administraci\u00f3n de Solr, lo que hace que las credenciales expuestas sean visibles en la interfaz de usuario. Este endpoint /admin/info/properties est\u00e1 protegido bajo el permiso \"config-read\". Por lo tanto, las nubes Solr con autorizaci\u00f3n habilitada solo ser\u00e1n vulnerables a trav\u00e9s de usuarios registrados que tengan el permiso \"config-read\". Se recomienda a los usuarios actualizar a la versi\u00f3n 9.3.0 u 8.11.3, que soluciona el problema. Una \u00fanica opci\u00f3n ahora controla la ocultaci\u00f3n de la propiedad del sistema Java para todos los endpoints, \"-Dsolr.hiddenSysProps\". De forma predeterminada, todas las propiedades confidenciales conocidas est\u00e1n ocultas (incluido \"-Dbasicauth\"), as\u00ed como cualquier propiedad cuyo nombre contenga \"secret\" o \"password\". Los usuarios que no pueden actualizar tambi\u00e9n pueden utilizar la siguiente propiedad del sistema Java para solucionar el problema: \u0027-Dsolr.redaction.system.pattern=.*(password|secret|basicauth).*\u0027"
          }
        ],
        "id": "CVE-2023-50291",
        "lastModified": "2024-02-15T18:41:12.893",
        "metrics": {
          "cvssMetricV31": [
            {
              "cvssData": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
                "version": "3.1"
              },
              "exploitabilityScore": 3.9,
              "impactScore": 3.6,
              "source": "nvd@nist.gov",
              "type": "Primary"
            }
          ]
        },
        "published": "2024-02-09T18:15:08.240",
        "references": [
          {
            "source": "security@apache.org",
            "tags": [
              "Mailing List"
            ],
            "url": "http://www.openwall.com/lists/oss-security/2024/02/09/4"
          },
          {
            "source": "security@apache.org",
            "tags": [
              "Vendor Advisory"
            ],
            "url": "https://solr.apache.org/security.html#cve-2023-50291-apache-solr-can-leak-certain-passwords-due-to-system-property-redaction-logic-inconsistencies"
          }
        ],
        "sourceIdentifier": "security@apache.org",
        "vulnStatus": "Analyzed",
        "weaknesses": [
          {
            "description": [
              {
                "lang": "en",
                "value": "CWE-522"
              }
            ],
            "source": "security@apache.org",
            "type": "Primary"
          }
        ]
      }
    }
  }
}

{
  "document": {
    "aggregate_severity": {
      "text": "hoch"
    },
    "category": "csaf_base",
    "csaf_version": "2.0",
    "distribution": {
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "de-DE",
    "notes": [
      {
        "category": "legal_disclaimer",
        "text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
      },
      {
        "category": "description",
        "text": "Apache Solr ist ein Suchmaschinen-Server f\u00fcr Unternehmen mit einer REST-\u00e4hnlichen API.",
        "title": "Produktbeschreibung"
      },
      {
        "category": "summary",
        "text": "Ein entfernter, authentisierter Angreifer kann mehrere Schwachstellen in Apache Solr ausnutzen, um Informationen offenzulegen oder beliebigen Programmcode auszuf\u00fchren.",
        "title": "Angriff"
      },
      {
        "category": "general",
        "text": "- UNIX\n- Linux\n- Windows",
        "title": "Betroffene Betriebssysteme"
      }
    ],
    "publisher": {
      "category": "other",
      "contact_details": "csaf-provider@cert-bund.de",
      "name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
      "namespace": "https://www.bsi.bund.de"
    },
    "references": [
      {
        "category": "self",
        "summary": "WID-SEC-W-2024-0340 - CSAF Version",
        "url": "https://wid.cert-bund.de/.well-known/csaf/white/2024/wid-sec-w-2024-0340.json"
      },
      {
        "category": "self",
        "summary": "WID-SEC-2024-0340 - Portal Version",
        "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2024-0340"
      },
      {
        "category": "external",
        "summary": "Solr Security News vom 2024-02-11",
        "url": "https://solr.apache.org/security.html"
      },
      {
        "category": "external",
        "summary": "Red Hat Bugtracker vom 2024-02-11",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2263577"
      },
      {
        "category": "external",
        "summary": "Red Hat Bugtracker vom 2024-02-11",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2263579"
      },
      {
        "category": "external",
        "summary": "Red Hat Bugtracker vom 2024-02-11",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2263583"
      },
      {
        "category": "external",
        "summary": "Red Hat Bugtracker vom 2024-02-11",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2263585"
      }
    ],
    "source_lang": "en-US",
    "title": "Apache Solr: Mehrere Schwachstellen",
    "tracking": {
      "current_release_date": "2024-02-11T23:00:00.000+00:00",
      "generator": {
        "date": "2024-02-15T17:59:48.806+00:00",
        "engine": {
          "name": "BSI-WID",
          "version": "1.3.0"
        }
      },
      "id": "WID-SEC-W-2024-0340",
      "initial_release_date": "2024-02-11T23:00:00.000+00:00",
      "revision_history": [
        {
          "date": "2024-02-11T23:00:00.000+00:00",
          "number": "1",
          "summary": "Initiale Fassung"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003c 9.3.0",
                "product": {
                  "name": "Apache Solr \u003c 9.3.0",
                  "product_id": "1506974",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:apache:solr:9.3.0"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003c 9.4.1",
                "product": {
                  "name": "Apache Solr \u003c 9.4.1",
                  "product_id": "T032661",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:apache:solr:9.4.1"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003c 8.11.3",
                "product": {
                  "name": "Apache Solr \u003c 8.11.3",
                  "product_id": "T032663",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:apache:solr:8.11.3"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "Solr"
          }
        ],
        "category": "vendor",
        "name": "Apache"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2023-50291",
      "notes": [
        {
          "category": "description",
          "text": "Es existiert eine Schwachstelle in Apache Solr. Diese ist darauf zur\u00fcckzuf\u00fchren, dass vertrauliche Informationen an dem \"/admin/info/properties\" Endpunkt nicht gesch\u00fctzt sind. Ein entfernter, authentisierter Angreifer kann diese Schwachstelle ausnutzen, um Informationen offenzulegen."
        }
      ],
      "release_date": "2024-02-11T23:00:00Z",
      "title": "CVE-2023-50291"
    },
    {
      "cve": "CVE-2023-50292",
      "notes": [
        {
          "category": "description",
          "text": "Es existiert eine Schwachstelle in Apache Solr. Diese ist auf einen Fehler in der Komponente \"Schema Designer\" zur\u00fcckzuf\u00fchren, welche \"Schemas\" ungepr\u00fcft ausf\u00fchrt. Ein entfernter, authentisierter Angreifer kann diese Schwachstelle ausnutzen, um beliebigen Programmcode auszuf\u00fchren."
        }
      ],
      "release_date": "2024-02-11T23:00:00Z",
      "title": "CVE-2023-50292"
    },
    {
      "cve": "CVE-2023-50298",
      "notes": [
        {
          "category": "description",
          "text": "Es existiert eine Schwachstelle in Apache Solr. Diese besteht in der \"zkHost\"-Funktionalit\u00e4t, die zum Austausch mit anderen Solr-Clouds genutzt werden kann. Ein entfernter, authentisierter Angreifer in einer man-in-the-middle-position kann diese Schwachstelle ausnutzen, um Informationen offenzulegen."
        }
      ],
      "release_date": "2024-02-11T23:00:00Z",
      "title": "CVE-2023-50298"
    },
    {
      "cve": "CVE-2023-50386",
      "notes": [
        {
          "category": "description",
          "text": "Es existiert eine Schwachstelle in Apache Solr. Diese ist auf einen Fehler in der Komponente \"ConfigSets\" zur\u00fcckzuf\u00fchren, welche ungepr\u00fcft Java jar Dateien und Klassen per API akzeptiert und speichert. Ein entfernter, authentisierter Angreifer kann diese Schwachstelle ausnutzen, um beliebigen Programmcode auszuf\u00fchren."
        }
      ],
      "release_date": "2024-02-11T23:00:00Z",
      "title": "CVE-2023-50386"
    }
  ]
}

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.apache.solr:solr-core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "6.0.0"
            },
            {
              "fixed": "8.11.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.apache.solr:solr-core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "9.0.0"
            },
            {
              "fixed": "9.3.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-50291"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-522"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-02-09T21:43:19Z",
    "nvd_published_at": "2024-02-09T18:15:08Z",
    "severity": "MODERATE"
  },
  "details": "Insufficiently Protected Credentials vulnerability in Apache Solr.\n\nThis issue affects Apache Solr from 6.0.0 through 8.11.2, from 9.0.0 before 9.3.0.\nOne of the two endpoints that publishes the Solr process\u0027 Java system properties, /admin/info/properties, was only setup to hide system properties that had \"password\" contained in the name.\nThere are a number of sensitive system properties, such as \"basicauth\" and \"aws.secretKey\" do not contain \"password\", thus their values were published via the \"/admin/info/properties\" endpoint.\nThis endpoint populates the list of System Properties on the home screen of the Solr Admin page, making the exposed credentials visible in the UI.\n\nThis /admin/info/properties endpoint is protected under the \"config-read\" permission.\nTherefore, Solr Clouds with Authorization enabled will only be vulnerable through logged-in users that have the \"config-read\" permission.\nUsers are recommended to upgrade to version 9.3.0 or 8.11.3, both of which fix the issue.\nA single option now controls hiding Java system property for all endpoints, \"-Dsolr.hiddenSysProps\".\nBy default all known sensitive properties are hidden (including \"-Dbasicauth\"), as well as any property with a name containing \"secret\" or \"password\".\n\nUsers who cannot upgrade can also use the following Java system property to fix the issue:\n\u00a0 `-Dsolr.redaction.system.pattern=.*(password|secret|basicauth).*`",
  "id": "GHSA-3hwc-rqwp-v36q",
  "modified": "2024-02-09T21:43:19Z",
  "published": "2024-02-09T18:31:07Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-50291"
    },
    {
      "type": "WEB",
      "url": "https://github.com/apache/solr/commit/659021c7d50164a3166887f24875228431b02102"
    },
    {
      "type": "WEB",
      "url": "https://github.com/apache/solr/commit/98c198810f2cd934d23d0d80aadb570a2bbb3b8e"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/apache/solr"
    },
    {
      "type": "WEB",
      "url": "https://issues.apache.org/jira/browse/SOLR-16809"
    },
    {
      "type": "WEB",
      "url": "https://solr.apache.org/security.html#cve-2023-50291-apache-solr-can-leak-certain-passwords-due-to-system-property-redaction-logic-inconsistencies"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2024/02/09/4"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [],
  "summary": "Apache Solr can leak certain passwords due to System Property redaction logic inconsistencies"
}