Execution with Unnecessary Privileges Affecting lucene-solr package, versions <3.6.2+dfsg-23
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-DEBIANUNSTABLE-LUCENESOLR-8663288
- published27 Jan 2025
- disclosed27 Jan 2025
Introduced: 27 Jan 2025
NewCVE-2025-24814 (opens in a new tab)How to fix?
Upgrade Debian:unstable lucene-solr to version 3.6.2+dfsg-23 or higher.
NVD Description
Note: Versions mentioned in the description apply only to the upstream lucene-solr package and not the lucene-solr package as distributed by Debian.
See How to fix? for Debian:unstable relevant fixed versions and status.
Core creation allows users to replace "trusted" configset files with arbitrary configuration
Solr instances that (1) use the "FileSystemConfigSetService" component (the default in "standalone" or "user-managed" mode), and (2) are running without authentication and authorization are vulnerable to a sort of privilege escalation wherein individual "trusted" configset files can be ignored in favor of potentially-untrusted replacements available elsewhere on the filesystem. These replacement config files are treated as "trusted" and can use "<lib>" tags to add to Solr's classpath, which an attacker might use to load malicious code as a searchComponent or other plugin.
This issue affects all Apache Solr versions up through Solr 9.7. Users can protect against the vulnerability by enabling authentication and authorization on their Solr clusters or switching to SolrCloud (and away from "FileSystemConfigSetService"). Users are also recommended to upgrade to Solr 9.8.0, which mitigates this issue by disabling use of "<lib>" tags by default.