Moderate severityNVD Advisory· Published Jan 15, 2024· Updated May 9, 2025

Apache Solr: Host environment variables are published via the Metrics API

CVE-2023-50290

Description

Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache Solr. The Solr Metrics API publishes all unprotected environment variables available to each Apache Solr instance. Users are able to specify which environment variables to hide, however, the default list is designed to work for known secret Java system properties. Environment variables cannot be strictly defined in Solr, like Java system properties can be, and may be set for the entire host, unlike Java system properties which are set per-Java-proccess.

The Solr Metrics API is protected by the "metrics-read" permission. Therefore, Solr Clouds with Authorization setup will only be vulnerable via users with the "metrics-read" permission. This issue affects Apache Solr: from 9.0.0 before 9.3.0.

Users are recommended to upgrade to version 9.3.0 or later, in which environment variables are not published via the Metrics API.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Apache Solr's Metrics API exposes all host environment variables, leaking sensitive information; upgrade to 9.3.0+ to fix.

Vulnerability

The Solr Metrics API, by design, publishes all environment variables set on the host system to any user with the "metrics-read" permission. Unlike Java system properties, environment variables are host-wide and cannot be restricted per-process. The default hidden list only covers known secret Java properties, leaving many environment variables exposed [1].

Exploitation

An attacker who has been granted the "metrics-read" permission (e.g., through misconfiguration or compromised credentials) can query the Metrics API to retrieve all host environment variables. In Solr Clouds with authorization enabled, only users with this permission are vulnerable [1]. The attacker does not need any other special privileges.

Impact

Exposure of environment variables can reveal sensitive data such as API keys, database passwords, cloud provider credentials, or other secrets. This information can be used for lateral movement or privilege escalation within the environment [1].

Mitigation

Apache Solr versions 9.0.0 through 9.2.x are affected. Users should upgrade to Solr 9.3.0 or later, where environment variables are no longer published via the Metrics API. The fix is implemented in commit 35fc4bdc [4]. No official workaround is provided aside from restricting the "metrics-read" permission to trusted users.

References

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
org.apache.solr:solr-coreMaven	>= 9.0.0, < 9.3.0	9.3.0

Affected products

osv-coords2 versions
pkg:bitnami/solr pkg:maven/org.apache.solr/solr-core
>= 9.0.0, < 9.3.0+ 1 more
- (no CPE)range: >= 9.0.0, < 9.3.0
- (no CPE)range: >= 9.0.0, < 9.3.0
Apache Software Foundation/Apache Solrv5
Range: 9.0.0

Patches

35fc4bdc4817

SOLR-16808: Don't publish envVars via the Metrics API

https://github.com/apache/solrHouston PutmanMay 19, 2023via ghsa

commit

2 files changed · +2 −12

solr/CHANGES.txt+2 −0 modified

@@ -187,6 +187,8 @@ Bug Fixes
 
 * SOLR-16801: Reset the thread's contextClassloader after loading the CoreContainer (Thomas Wöckinger, Houston Putman)
 
+* SOLR-16808: Stop publishing environment variables via the Metrics API (Houston Putman)
+
 Dependency Upgrades
 ---------------------
 * PR#1494: Upgrade forbiddenapis to 3.5 (Uwe Schindler)

solr/core/src/java/org/apache/solr/servlet/CoreContainerProvider.java+0 −12 modified

@@ -468,18 +468,6 @@ private void setupJvmMetrics(CoreContainer coresInit, MetricsConfig config) {
           ResolutionStrategy.IGNORE,
           "properties",
           "system");
-      MetricsMap sysenv =
-          new MetricsMap(
-              map ->
-                  System.getenv()
-                      .forEach(
-                          (k, v) -> {
-                            if (!hiddenSysProps.contains(k)) {
-                              map.putNoEx(String.valueOf(k), v);
-                            }
-                          }));
-      metricManager.registerGauge(
-          null, registryName, sysenv, metricTag, ResolutionStrategy.IGNORE, "env", "system");
     } catch (Exception e) {
       log.warn("Error registering JVM metrics", e);
     }

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-gg7w-pw2r-x2cqghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2023-50290ghsaADVISORY
solr.apache.org/security.htmlghsavendor-advisoryWEB
github.com/apache/solr/commit/35fc4bdc48171d9a64251c54a1e76deb558cf9d8ghsaWEB
issues.apache.org/jira/browse/SOLR-16808ghsaWEB

News mentions

No linked articles in our index yet.

cvss	0.260
epss	0.074
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000