org.apache.solr:solr-core 8.11.4 vulnerabilities

Direct Vulnerabilities

Known vulnerabilities in the org.apache.solr:solr-core package. This does not include vulnerabilities belonging to this package’s dependencies.

How to fix?

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

Fix for free

Vulnerability	Vulnerable Version
H Execution with Unnecessary Privileges org.apache.solr:solr-core is an open source enterprise search platform built on Apache Lucene Affected versions of this package are vulnerable to Execution with Unnecessary Privileges due to the potential for attackers to control what configset is loaded by the `FileSystemConfigSetService` component (in use by default in standalone and user-managed modes) during core creation. A trusted config can be replaced by a malicious one, which specifies arbitrary classes as `<lib>` elements, which will then be added to the classpath. How to fix Execution with Unnecessary Privileges? Upgrade `org.apache.solr:solr-core` to version 9.8.0 or higher.	[,9.8.0)
M Arbitrary File Write via Archive Extraction (Zip Slip) org.apache.solr:solr-core is an open source enterprise search platform built on Apache Lucene Affected versions of this package are vulnerable to Arbitrary File Write via Archive Extraction (Zip Slip) in the `uploadFileToConfig()` function in the `FileSystemConfigSetService.java` component, which is accessible via the configset upload API. An attacker can write files at unintended paths in the filesystem by passing in a ZIP archive containing a malicious pathname. Note: This vulnerability is only exploitable on Windows systems. How to fix Arbitrary File Write via Archive Extraction (Zip Slip)? Upgrade `org.apache.solr:solr-core` to version 9.8.0 or higher.	[6.6,9.8.0)

Vulnerability

Vulnerable Version

Execution with Unnecessary Privileges

org.apache.solr:solr-core is an open source enterprise search platform built on Apache Lucene

Affected versions of this package are vulnerable to Execution with Unnecessary Privileges due to the potential for attackers to control what configset is loaded by the FileSystemConfigSetService component (in use by default in standalone and user-managed modes) during core creation. A trusted config can be replaced by a malicious one, which specifies arbitrary classes as <lib> elements, which will then be added to the classpath.

How to fix Execution with Unnecessary Privileges?

Upgrade org.apache.solr:solr-core to version 9.8.0 or higher.

[,9.8.0)

Arbitrary File Write via Archive Extraction (Zip Slip)

org.apache.solr:solr-core is an open source enterprise search platform built on Apache Lucene

Affected versions of this package are vulnerable to Arbitrary File Write via Archive Extraction (Zip Slip) in the uploadFileToConfig() function in the FileSystemConfigSetService.java component, which is accessible via the configset upload API. An attacker can write files at unintended paths in the filesystem by passing in a ZIP archive containing a malicious pathname.

Note: This vulnerability is only exploitable on Windows systems.

How to fix Arbitrary File Write via Archive Extraction (Zip Slip)?

Upgrade org.apache.solr:solr-core to version 9.8.0 or higher.

[6.6,9.8.0)

org.apache.solr:solr-core@8.11.4 vulnerabilities

latest version

latest non vulnerable version

first published

latest version published

licenses detected

package registry

Direct Vulnerabilities

How to fix?