CVE-2023-50291

Summary

CVE-2023-50291 is a vulnerability affecting Apache Solr versions from 6.0.0 through 8.11.2, and from 9.0.0 before 9.3.0. The issue lies in the lack of adequate protection for Java system properties published via the "/admin/info/properties" endpoint. Sensitive system properties, such as "basicauth" and "aws.secretKey," were not effectively hidden, exposing their values in the Solr Admin page. This endpoint is protected under the "config-read" permission, making Solr Clouds with Authorization enabled vulnerable only through logged-in users with the necessary access. It is recommended that users upgrade to version 9.3.0 or 8.11.3 to address the issue. As an alternative, users can set the Java system property '-Dsolr.redaction.system.pattern=.*(password|secret|basicauth).*' to hide specific sensitive properties. Newer versions of Apache Solr now provide an option to hide all known sensitive Java system properties by default using '-Dsolr.hiddenSysProps'.

Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.