Insufficient verification of data authenticity in Apache Solr - CVE-2024-45217

 

Insufficient verification of data authenticity in Apache Solr - CVE-2024-45217

Published: October 15, 2024


Vulnerability identifier: #VU98527
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2024-45217
CWE-ID: CWE-345
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: Apache Foundation
Affected software:
Apache Solr

Detailed vulnerability description

The vulnerability allows a remote attacker to compromise the affected instance.

The vulnerability exists due to ConfigSets created during a backup restore command are trusted implicitly. New ConfigSets that are created via a Restore command, which copy a configSet from the backup and give it a new name, are created without setting the "trusted" metadata. ConfigSets that do not contain the flag are trusted implicitly if the metadata is missing, therefore this leads to "trusted" ConfigSets that may not have been created with an Authenticated request.


How to mitigate CVE-2024-45217

Install updates from vendor's website.

Sources