Apache Solr: System Property redaction logic inconsistency can lead to leaked passwords
Description
Insufficiently Protected Credentials vulnerability in Apache Solr.
This issue affects Apache Solr: from 6.0.0 through 8.11.2, from 9.0.0 before 9.3.0. One of the two endpoints that publishes the Solr process' Java system properties, /admin/info/properties, was only setup to hide system properties that had "password" contained in the name. There are a number of sensitive system properties, such as "basicauth" and "aws.secretKey" do not contain "password", thus their values were published via the "/admin/info/properties" endpoint. This endpoint populates the list of System Properties on the home screen of the Solr Admin page, making the exposed credentials visible in the UI.
This /admin/info/properties endpoint is protected under the "config-read" permission. Therefore, Solr Clouds with Authorization enabled will only be vulnerable through logged-in users that have the "config-read" permission. Users are recommended to upgrade to version 9.3.0 or 8.11.3, which fixes the issue. A single option now controls hiding Java system property for all endpoints, "-Dsolr.hiddenSysProps". By default all known sensitive properties are hidden (including "-Dbasicauth"), as well as any property with a name containing "secret" or "password".
Users who cannot upgrade can also use the following Java system property to fix the issue: '-Dsolr.redaction.system.pattern=.*(password|secret|basicauth).*'
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.solr:solr-coreMaven | >= 6.0.0, < 8.11.3 | 8.11.3 |
org.apache.solr:solr-coreMaven | >= 9.0.0, < 9.3.0 | 9.3.0 |
Affected products
3- osv-coords2 versions
>= 6.0.0, < 8.11.3+ 1 more
- (no CPE)range: >= 6.0.0, < 8.11.3
- (no CPE)range: >= 6.0.0, < 8.11.3
Patches
Vulnerability mechanics
References
7- github.com/advisories/GHSA-3hwc-rqwp-v36qghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2023-50291ghsaADVISORY
- solr.apache.org/security.htmlghsavendor-advisoryWEB
- www.openwall.com/lists/oss-security/2024/02/09/4ghsaWEB
- github.com/apache/solr/commit/659021c7d50164a3166887f24875228431b02102ghsaWEB
- github.com/apache/solr/commit/98c198810f2cd934d23d0d80aadb570a2bbb3b8eghsaWEB
- issues.apache.org/jira/browse/SOLR-16809ghsaWEB
News mentions
0No linked articles in our index yet.