Apache Solr CVE-2023-50386: Unrestricted Upload of JARs via ConfigSets
CVE-2023-50386 Published on February 9, 2024
Apache Solr: Backup/Restore APIs allow for deployment of executables in malicious ConfigSets
Improper Control of Dynamically-Managed Code Resources, Unrestricted Upload of File with Dangerous Type, Inclusion of Functionality from Untrusted Control Sphere vulnerability in Apache Solr.This issue affects Apache Solr: from 6.0.0 through 8.11.2, from 9.0.0 before 9.4.1.
In the affected versions, Solr ConfigSets accepted Java jar and class files to be uploaded through the ConfigSets API.
When backing up Solr Collections, these configSet files would be saved to disk when using the LocalFileSystemRepository (the default for backups).
If the backup was saved to a directory that Solr uses in its ClassPath/ClassLoaders, then the jar and class files would be available to use with any ConfigSet, trusted or untrusted.
When Solr is run in a secure way (Authorization enabled), as is strongly suggested, this vulnerability is limited to extending the Backup permissions with the ability to add libraries.
Users are recommended to upgrade to version 8.11.3 or 9.4.1, which fix the issue.
In these versions, the following protections have been added:
* Users are no longer able to upload files to a configSet that could be executed via a Java ClassLoader.
* The Backup API restricts saving backups to directories that are used in the ClassLoader.
Vulnerability Analysis
CVE-2023-50386 is exploitable with network access, and requires small amount of user privileges. This vulnerability is considered to have a low attack complexity. Public availability of a proof of concept (POC) exploit exists for CVE-2023-50386. The potential impact of an exploit of this vulnerability is considered to be very high.
Weakness Types
What is an Unrestricted File Upload Vulnerability?
The software allows the attacker to upload or transfer files of dangerous types that can be automatically processed within the product's environment.
CVE-2023-50386 has been classified to as an Unrestricted File Upload vulnerability or weakness.
Improper Control of Dynamically-Managed Code Resources
The software does not properly restrict reading from or writing to dynamically-managed code resources such as variables, objects, classes, attributes, functions, or executable instructions or statements. Many languages offer powerful features that allow the programmer to dynamically create or modify existing code, or resources used by code such as variables and objects. While these features can offer significant flexibility and reduce development time, they can be extremely dangerous if attackers can directly influence these code resources in unexpected ways.
Products Associated with CVE-2023-50386
Want to know whenever a new CVE is published for Apache Solr? stack.watch will email you.
Affected Versions
Apache Software Foundation Apache Solr:- Version 6.0.0, <= 8.11.2 is affected.
- Version 9.0.0 and below 9.4.1 is affected.
- Version 6.0.0 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.