CVE-2024-52012
Description
Relative Path Traversal vulnerability in Apache Solr.
Solr instances running on Windows are vulnerable to arbitrary filepath write-access, due to a lack of input-sanitation in the "configset upload" API. Commonly known as a "zipslip", maliciously constructed ZIP files can use relative filepaths to write data to unanticipated parts of the filesystem. This issue affects Apache Solr: from 6.6 through 9.7.0.
Users are recommended to upgrade to version 9.8.0, which fixes the issue. Users unable to upgrade may also safely prevent the issue by using Solr's "Rule-Based Authentication Plugin" to restrict access to the configset upload API, so that it can only be accessed by a trusted set of administrators/users.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.solr:solr-coreMaven | >= 6.6, < 9.8.0 | 9.8.0 |
Affected products
7- osv-coords6 versionspkg:apk/chainguard/solrpkg:apk/chainguard/solr-oci-compatpkg:apk/wolfi/solrpkg:apk/wolfi/solr-oci-compatpkg:bitnami/solrpkg:maven/org.apache.solr/solr-core
< 0+ 5 more
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: >= 6.6.0, < 9.8.0
- (no CPE)range: >= 6.6, < 9.8.0
Patches
Vulnerability mechanics
References
6- www.openwall.com/lists/oss-security/2025/01/26/2nvdMailing ListThird Party AdvisoryWEB
- github.com/advisories/GHSA-4p5m-gvpf-f3x5ghsaADVISORY
- lists.apache.org/thread/yp39pgbv4vf1746pf5yblz84lv30vfxdnvdMailing ListVendor AdvisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2024-52012ghsaADVISORY
- github.com/apache/solr/commit/5795edd143b8fcb2ffaf7f278a099b8678adf396ghsaWEB
- issues.apache.org/jira/browse/SOLR-17543ghsaWEB
News mentions
0No linked articles in our index yet.