Exposure of Sensitive Information to Unauthorized Actor in Apache Solr
CVE-2023-50298

7.5HIGH

Key Information:

Vendor: Apache
Status: Apache Solr
Vendor: CVE Published:; 9 February 2024

Summary

A vulnerability exists in Apache Solr that allows an unauthorized actor to expose sensitive information due to the mishandling of ZooKeeper credentials in Streaming Expressions. This vulnerability impacts versions from 6.0.0 to 8.11.2 and for 9.0.0 versions prior to 9.4.1. When users extract data from other Solr Clouds using the 'zkHost' parameter, ZooKeeper credentials may inadvertently be sent to a potentially malicious server set up to simulate ZooKeeper. This enables an attacker to capture sensitive data by exploiting the streaming expression functionality. It is critical for users to upgrade to versions 8.11.3 or 9.4.1 to mitigate this risk, as the updates restrict credential usage to the same server address only.

Affected Version(s)

Apache Solr 6.0.0 <= 8.11.2

Apache Solr 9.0.0 < 9.4.1

References

https://solr.apache.org/security.html#cve-2023-50298-apac...

vendor-advisory

http://www.openwall.com/lists/oss-security/2024/02/09/3

http://www.openwall.com/lists/oss-security/2024/02/09/2

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Feb 9, 2024
Vulnerability Reserved
Dec 6, 2023

Collectors

NVD DatabaseMitre Database

Credit

Qing Xu