org.apache.solr:solr-core 8.6.1 vulnerabilities

Direct Vulnerabilities

Known vulnerabilities in the org.apache.solr:solr-core package. This does not include vulnerabilities belonging to this package’s dependencies.

How to fix?

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

Fix for free

Vulnerability	Vulnerable Version
H Execution with Unnecessary Privileges org.apache.solr:solr-core is an open source enterprise search platform built on Apache Lucene Affected versions of this package are vulnerable to Execution with Unnecessary Privileges due to the potential for attackers to control what configset is loaded by the `FileSystemConfigSetService` component (in use by default in standalone and user-managed modes) during core creation. A trusted config can be replaced by a malicious one, which specifies arbitrary classes as `<lib>` elements, which will then be added to the classpath. How to fix Execution with Unnecessary Privileges? Upgrade `org.apache.solr:solr-core` to version 9.8.0 or higher.	[,9.8.0)
M Arbitrary File Write via Archive Extraction (Zip Slip) org.apache.solr:solr-core is an open source enterprise search platform built on Apache Lucene Affected versions of this package are vulnerable to Arbitrary File Write via Archive Extraction (Zip Slip) in the `uploadFileToConfig()` function in the `FileSystemConfigSetService.java` component, which is accessible via the configset upload API. An attacker can write files at unintended paths in the filesystem by passing in a ZIP archive containing a malicious pathname. Note: This vulnerability is only exploitable on Windows systems. How to fix Arbitrary File Write via Archive Extraction (Zip Slip)? Upgrade `org.apache.solr:solr-core` to version 9.8.0 or higher.	[6.6,9.8.0)
C Improper Authentication org.apache.solr:solr-core is an open source enterprise search platform built on Apache Lucene Affected versions of this package are vulnerable to Improper Authentication due to insecure code in `PKIAuthenticationPlugin` and `HttpSolrCall` classes. An attacker can bypass the authentication process by appending a fake ending to the URL path, which appears to be an unprotected API path but is internally stripped off after authentication and before API routing. Note: Solr instances using the `PKIAuthenticationPlugin`, which is enabled by default when Solr Authentication is used, are vulnerable. How to fix Improper Authentication? Upgrade `org.apache.solr:solr-core` to version 8.11.4, 9.7.0 or higher.	[5.3.0,8.11.4)[9.0.0,9.7.0)
H Insecure Default Initialization of Resource org.apache.solr:solr-core is an open source enterprise search platform built on Apache Lucene Affected versions of this package are vulnerable to Insecure Default Initialization of Resource via the `Restore` command which copies a `configSet` from the backup and assigns it a new name without setting the `trusted` metadata. An attacker can execute arbitrary code by exploiting the implicit trust granted to these `ConfigSets` if the `trusted` flag is missing. This is only exploitable if the Solr instance is not secured via Authentication/Authorization. How to fix Insecure Default Initialization of Resource? Upgrade `org.apache.solr:solr-core` to version 8.11.4, 9.7.0 or higher.	[6.6.0,8.11.4)[9.0.0,9.7.0)
M Exposure of Sensitive Information to an Unauthorized Actor org.apache.solr:solr-core is an open source enterprise search platform built on Apache Lucene Affected versions of this package are vulnerable to Exposure of Sensitive Information to an Unauthorized Actor due to the use of a `zkHost` parameter that allows users to extract data from other Solr Clouds. When the original SolrCloud is configured to use ZooKeeper credentials and ACLs, these credentials are sent to any `zkHost` specified by the user. An attacker could exploit this by setting up a mock ZooKeeper server that accepts ZooKeeper requests with credentials and ACLs to extract sensitive information. Streaming Expressions are exposed via the "/streaming" handler, with "read" permissions. How to fix Exposure of Sensitive Information to an Unauthorized Actor? Upgrade `org.apache.solr:solr-core` to version 8.11.3, 9.4.1 or higher.	[6.0.0,8.11.3)[9.0.0,9.4.1)
H Unrestricted Upload of File with Dangerous Type org.apache.solr:solr-core is an open source enterprise search platform built on Apache Lucene Affected versions of this package are vulnerable to Unrestricted Upload of File with Dangerous Type due to the `ConfigSets` API accepting Java jar and class files. When backing up Solr Collections, these `configSet` files are saved to disk using the `LocalFileSystemRepository`, which is the default for backups. If the backup was saved to a directory that Solr uses in its ClassPath/ClassLoaders, then the jar and class files become available for use with any `ConfigSet`, regardless of trust level. Note: This vulnerability is most severe when Authorization is not enabled, which is strongly recommended against. With Authorization enabled it is limited to extending the Backup permissions with the ability to add libraries. How to fix Unrestricted Upload of File with Dangerous Type? Upgrade `org.apache.solr:solr-core` to version 8.11.3, 9.4.1 or higher.	[6.0.0,8.11.3)[9.0.0,9.4.1)
M Insufficiently Protected Credentials org.apache.solr:solr-core is an open source enterprise search platform built on Apache Lucene Affected versions of this package are vulnerable to Insufficiently Protected Credentials due to system property redaction logic inconsistencies. An attacker can access sensitive information, such as credentials for basic authentication or AWS secret keys, by exploiting the `/admin/info/properties` endpoint. This endpoint was intended to hide system properties containing "password" in their name, but failed to conceal other sensitive properties, including "basicauth" and "aws.secretKey", thus making them accessible via the Solr Admin UI. This is only exploitable if the Solr Cloud has Authorization enabled and the attacker has the "config-read" permission. How to fix Insufficiently Protected Credentials? Upgrade `org.apache.solr:solr-core` to version 8.11.3, 9.3.0 or higher.	[6.0.0,8.11.3)[9.0.0,9.3.0)
M Improper Input Validation org.apache.solr:solr-core is an open source enterprise search platform built on Apache Lucene Affected versions of this package are vulnerable to Improper Input Validation in `DataImportHandler`, which allows an attacker to provide a Windows UNC path resulting in an SMB network call being made from the Solr host to another host on the network. If the attacker has wider access to the network, this may lead to SMB attacks, which may result in the exfiltration of sensitive data such as OS user hashes (NTLM/LM hashes). In case of misconfigured systems, SMB relay attacks can lead to user impersonation on SMB Shares or, in a worse-case scenario, Remote Code Execution. How to fix Improper Input Validation? Upgrade `org.apache.solr:solr-core` to version 8.11.1 or higher.	[0,8.11.1)
H Server-Side Request Forgery (SSRF) org.apache.solr:solr-core is an open source enterprise search platform built on Apache Lucene Affected versions of this package are vulnerable to Server-Side Request Forgery (SSRF). The `ReplicationHandler` (normally registered at `/replication` under a `Solr` core) has a `masterUrl` (also `leaderUrl` alias) parameter that is used to designate another `ReplicationHandler` on another `Solr` core to replicate index data into the local core. These parameters are not checked against a similar configuration it uses for the `shards` parameter. How to fix Server-Side Request Forgery (SSRF)? Upgrade `org.apache.solr:solr-core` to version 8.8.2 or higher.	[,8.8.2)
M Access Restriction Bypass org.apache.solr:solr-core is an open source enterprise search platform built on Apache Lucene Affected versions of this package are vulnerable to Access Restriction Bypass. When using `ConfigurableInternodeAuthHadoopPlugin` for authentication, `Solr` forwards/proxies distributed requests using server credentials instead of original client credentials. This results in incorrect authorization resolution on the receiving hosts. How to fix Access Restriction Bypass? Upgrade `org.apache.solr:solr-core` to version 8.8.2 or higher.	[,8.8.2)
L Information Exposure org.apache.solr:solr-core is an open source enterprise search platform built on Apache Lucene Affected versions of this package are vulnerable to Information Exposure. When starting `Solr`, configured with the `SaslZkACLProvider` or `VMParamsAllAndReadonlyDigestZkACLProvider` and no existing `security.json` znode, if the optional read-only user is configured then `Solr` would not treat that node as a sensitive path and would allow it to be readable. Additionally, with any `ZkACLProvider`, if the `security.json` is already present, `Solr` will not automatically update the ACLs. How to fix Information Exposure? Upgrade `org.apache.solr:solr-core` to version 8.8.2 or higher.	[,8.8.2)
C Remote Code Execution (RCE) org.apache.solr:solr-core is an open source enterprise search platform built on Apache Lucene Affected versions of this package are vulnerable to Remote Code Execution (RCE). Features considered dangerous (which could be used for remote code execution) can be configured in a `ConfigSet` that's uploaded via API without authentication or authorization. The checks in place to prevent such features can be circumvented by using a combination of the `UPLOAD` and `CREATE` actions. How to fix Remote Code Execution (RCE)? Upgrade `org.apache.solr:solr-core` to version 8.6.3 or higher.	[6.6.0,8.6.3)

Vulnerability

Vulnerable Version

Execution with Unnecessary Privileges

org.apache.solr:solr-core is an open source enterprise search platform built on Apache Lucene

Affected versions of this package are vulnerable to Execution with Unnecessary Privileges due to the potential for attackers to control what configset is loaded by the FileSystemConfigSetService component (in use by default in standalone and user-managed modes) during core creation. A trusted config can be replaced by a malicious one, which specifies arbitrary classes as <lib> elements, which will then be added to the classpath.

How to fix Execution with Unnecessary Privileges?

Upgrade org.apache.solr:solr-core to version 9.8.0 or higher.

[,9.8.0)

Arbitrary File Write via Archive Extraction (Zip Slip)

org.apache.solr:solr-core is an open source enterprise search platform built on Apache Lucene

Affected versions of this package are vulnerable to Arbitrary File Write via Archive Extraction (Zip Slip) in the uploadFileToConfig() function in the FileSystemConfigSetService.java component, which is accessible via the configset upload API. An attacker can write files at unintended paths in the filesystem by passing in a ZIP archive containing a malicious pathname.

Note: This vulnerability is only exploitable on Windows systems.

How to fix Arbitrary File Write via Archive Extraction (Zip Slip)?

Upgrade org.apache.solr:solr-core to version 9.8.0 or higher.

[6.6,9.8.0)

Improper Authentication

org.apache.solr:solr-core is an open source enterprise search platform built on Apache Lucene

Affected versions of this package are vulnerable to Improper Authentication due to insecure code in PKIAuthenticationPlugin and HttpSolrCall classes.

An attacker can bypass the authentication process by appending a fake ending to the URL path, which appears to be an unprotected API path but is internally stripped off after authentication and before API routing.

Note:

Solr instances using the PKIAuthenticationPlugin, which is enabled by default when Solr Authentication is used, are vulnerable.

How to fix Improper Authentication?

Upgrade org.apache.solr:solr-core to version 8.11.4, 9.7.0 or higher.

[5.3.0,8.11.4)[9.0.0,9.7.0)

Insecure Default Initialization of Resource

org.apache.solr:solr-core is an open source enterprise search platform built on Apache Lucene

Affected versions of this package are vulnerable to Insecure Default Initialization of Resource via the Restore command which copies a configSet from the backup and assigns it a new name without setting the trusted metadata. An attacker can execute arbitrary code by exploiting the implicit trust granted to these ConfigSets if the trusted flag is missing.

This is only exploitable if the Solr instance is not secured via Authentication/Authorization.

How to fix Insecure Default Initialization of Resource?

Upgrade org.apache.solr:solr-core to version 8.11.4, 9.7.0 or higher.

[6.6.0,8.11.4)[9.0.0,9.7.0)

Exposure of Sensitive Information to an Unauthorized Actor

org.apache.solr:solr-core is an open source enterprise search platform built on Apache Lucene

Affected versions of this package are vulnerable to Exposure of Sensitive Information to an Unauthorized Actor due to the use of a zkHost parameter that allows users to extract data from other Solr Clouds. When the original SolrCloud is configured to use ZooKeeper credentials and ACLs, these credentials are sent to any zkHost specified by the user. An attacker could exploit this by setting up a mock ZooKeeper server that accepts ZooKeeper requests with credentials and ACLs to extract sensitive information. Streaming Expressions are exposed via the "/streaming" handler, with "read" permissions.

How to fix Exposure of Sensitive Information to an Unauthorized Actor?

Upgrade org.apache.solr:solr-core to version 8.11.3, 9.4.1 or higher.

[6.0.0,8.11.3)[9.0.0,9.4.1)

Unrestricted Upload of File with Dangerous Type

org.apache.solr:solr-core is an open source enterprise search platform built on Apache Lucene

Affected versions of this package are vulnerable to Unrestricted Upload of File with Dangerous Type due to the ConfigSets API accepting Java jar and class files. When backing up Solr Collections, these configSet files are saved to disk using the LocalFileSystemRepository, which is the default for backups. If the backup was saved to a directory that Solr uses in its ClassPath/ClassLoaders, then the jar and class files become available for use with any ConfigSet, regardless of trust level.

Note: This vulnerability is most severe when Authorization is not enabled, which is strongly recommended against. With Authorization enabled it is limited to extending the Backup permissions with the ability to add libraries.

How to fix Unrestricted Upload of File with Dangerous Type?

Upgrade org.apache.solr:solr-core to version 8.11.3, 9.4.1 or higher.

[6.0.0,8.11.3)[9.0.0,9.4.1)

Insufficiently Protected Credentials

org.apache.solr:solr-core is an open source enterprise search platform built on Apache Lucene

Affected versions of this package are vulnerable to Insufficiently Protected Credentials due to system property redaction logic inconsistencies. An attacker can access sensitive information, such as credentials for basic authentication or AWS secret keys, by exploiting the /admin/info/properties endpoint. This endpoint was intended to hide system properties containing "password" in their name, but failed to conceal other sensitive properties, including "basicauth" and "aws.secretKey", thus making them accessible via the Solr Admin UI. This is only exploitable if the Solr Cloud has Authorization enabled and the attacker has the "config-read" permission.

How to fix Insufficiently Protected Credentials?

Upgrade org.apache.solr:solr-core to version 8.11.3, 9.3.0 or higher.

[6.0.0,8.11.3)[9.0.0,9.3.0)

Improper Input Validation

org.apache.solr:solr-core is an open source enterprise search platform built on Apache Lucene

Affected versions of this package are vulnerable to Improper Input Validation in DataImportHandler, which allows an attacker to provide a Windows UNC path resulting in an SMB network call being made from the Solr host to another host on the network. If the attacker has wider access to the network, this may lead to SMB attacks, which may result in the exfiltration of sensitive data such as OS user hashes (NTLM/LM hashes). In case of misconfigured systems, SMB relay attacks can lead to user impersonation on SMB Shares or, in a worse-case scenario, Remote Code Execution.

How to fix Improper Input Validation?

Upgrade org.apache.solr:solr-core to version 8.11.1 or higher.

[0,8.11.1)

Server-Side Request Forgery (SSRF)

org.apache.solr:solr-core is an open source enterprise search platform built on Apache Lucene

Affected versions of this package are vulnerable to Server-Side Request Forgery (SSRF). The ReplicationHandler (normally registered at /replication under a Solr core) has a masterUrl (also leaderUrl alias) parameter that is used to designate another ReplicationHandler on another Solr core to replicate index data into the local core. These parameters are not checked against a similar configuration it uses for the shards parameter.

How to fix Server-Side Request Forgery (SSRF)?

Upgrade org.apache.solr:solr-core to version 8.8.2 or higher.

[,8.8.2)

Access Restriction Bypass

org.apache.solr:solr-core is an open source enterprise search platform built on Apache Lucene

Affected versions of this package are vulnerable to Access Restriction Bypass. When using ConfigurableInternodeAuthHadoopPlugin for authentication, Solr forwards/proxies distributed requests using server credentials instead of original client credentials. This results in incorrect authorization resolution on the receiving hosts.

How to fix Access Restriction Bypass?

Upgrade org.apache.solr:solr-core to version 8.8.2 or higher.

[,8.8.2)

Information Exposure

org.apache.solr:solr-core is an open source enterprise search platform built on Apache Lucene

Affected versions of this package are vulnerable to Information Exposure. When starting Solr, configured with the SaslZkACLProvider or VMParamsAllAndReadonlyDigestZkACLProvider and no existing security.json znode, if the optional read-only user is configured then Solr would not treat that node as a sensitive path and would allow it to be readable. Additionally, with any ZkACLProvider, if the security.json is already present, Solr will not automatically update the ACLs.

How to fix Information Exposure?

Upgrade org.apache.solr:solr-core to version 8.8.2 or higher.

[,8.8.2)

Remote Code Execution (RCE)

org.apache.solr:solr-core is an open source enterprise search platform built on Apache Lucene

Affected versions of this package are vulnerable to Remote Code Execution (RCE). Features considered dangerous (which could be used for remote code execution) can be configured in a ConfigSet that's uploaded via API without authentication or authorization. The checks in place to prevent such features can be circumvented by using a combination of the UPLOAD and CREATE actions.

How to fix Remote Code Execution (RCE)?

Upgrade org.apache.solr:solr-core to version 8.6.3 or higher.

[6.6.0,8.6.3)

org.apache.solr:solr-core@8.6.1 vulnerabilities

latest version

latest non vulnerable version

first published

latest version published

licenses detected

package registry

Direct Vulnerabilities

How to fix?