Improper Permission Assignment in Apache Solr's Schema Designer Feature
CVE-2023-50292

7.5HIGH

Key Information:

Vendor: Apache
Status: Apache Solr
Vendor: CVE Published:; 9 February 2024

Summary

A vulnerability exists in the Schema Designer feature of Apache Solr, affecting several versions. The issue arises from an incorrect permission assignment for critical resources, allowing unauthenticated users to load external libraries in configSets. Although the feature was designed to facilitate easier configuration and testing of Schemas and configSets, it fails to validate the trust levels of these components. As a result, configSets created by unauthenticated users can be improperly leveraged, potentially leading to unauthorized remote code execution. Users are strongly encouraged to upgrade to version 9.3.0 to mitigate this vulnerability.

Affected Version(s)

Apache Solr 8.10.0 <= 8.11.2

Apache Solr 9.0.0 < 9.3.0

References

https://solr.apache.org/security.html#cve-2023-50298-apac...

vendor-advisory

http://www.openwall.com/lists/oss-security/2024/02/09/3

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Feb 9, 2024
Vulnerability Reserved
Dec 6, 2023

Collectors

NVD DatabaseMitre Database

Credit

Skay