#VU98527 Insufficient verification of data authenticity in Apache Solr - CVE-2024-45217
Published: October 15, 2024
Vulnerability identifier: #VU98527
Vulnerability risk: Medium
CVSSv4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2024-45217
CWE-ID: CWE-345
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
Apache Solr
Apache Solr
Software vendor:
Apache Foundation
Apache Foundation
Description
The vulnerability allows a remote attacker to compromise the affected instance.
The vulnerability exists due to ConfigSets created during a backup restore command are trusted implicitly. New ConfigSets that are created via a Restore command, which copy a configSet from the backup and give it a new name, are created without setting the "trusted" metadata. ConfigSets that do not contain the flag are trusted implicitly if the metadata is missing, therefore this leads to "trusted" ConfigSets that may not have been created with an Authenticated request.
Remediation
Install updates from vendor's website.