Cyber Resilience

CVE-2023-50386

High

Published: 09 February 2024

Published
09 February 2024
Modified
24 April 2025
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.8684 99.4th percentile
Risk Priority 70 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-50386 is a high-severity Unrestricted Upload of File with Dangerous Type (CWE-434) vulnerability in Apache Solr. Its CVSS base score is 8.8 (High).

Operationally, ranked in the top 0.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

Apache Solr versions 6.0.0 through 8.11.2 and 9.0.0 before 9.4.1 contain an improper control of dynamically-managed code resources vulnerability, also described as unrestricted upload of files with dangerous types and inclusion of functionality from an untrusted control sphere. In these releases the ConfigSets API accepts Java jar and class files, which are persisted to disk during collection backups that use the default LocalFileSystemRepository; when the backup target lies on a ClassPath or ClassLoader directory, the uploaded artifacts become loadable by any ConfigSet.

An authenticated user who can invoke both the ConfigSets API and the Backup API can therefore place executable code where it will be available to trusted or untrusted configurations alike. When Solr is operated with authorization enabled, the impact is narrowed to an extension of backup privileges that permits addition of arbitrary libraries.

Official guidance from the Apache Solr security page and the coordinated oss-security disclosure recommends immediate upgrade to 8.11.3 or 9.4.1. These releases block upload of files that a Java ClassLoader can execute and restrict the Backup API from writing into ClassLoader directories. The EPSS score has remained near its observed peak of 0.8882 with a current value of 0.8684.

EU & UK References

Vulnerability details

Improper Control of Dynamically-Managed Code Resources, Unrestricted Upload of File with Dangerous Type, Inclusion of Functionality from Untrusted Control Sphere vulnerability in Apache Solr.This issue affects Apache Solr: from 6.0.0 through 8.11.2, from 9.0.0 before 9.4.1. In the affected versions,…

more

Solr ConfigSets accepted Java jar and class files to be uploaded through the ConfigSets API. When backing up Solr Collections, these configSet files would be saved to disk when using the LocalFileSystemRepository (the default for backups). If the backup was saved to a directory that Solr uses in its ClassPath/ClassLoaders, then the jar and class files would be available to use with any ConfigSet, trusted or untrusted. When Solr is run in a secure way (Authorization enabled), as is strongly suggested, this vulnerability is limited to extending the Backup permissions with the ability to add libraries. Users are recommended to upgrade to version 8.11.3 or 9.4.1, which fix the issue. In these versions, the following protections have been added: * Users are no longer able to upload files to a configSet that could be executed via a Java ClassLoader. * The Backup API restricts saving backups to directories that are used in the ClassLoader.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

apache
solr
6.0.0 — 8.11.3 · 9.0.0 — 9.4.1

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-434

Requiring identifiable owners for portable devices reduces the attack surface for unrestricted uploads of dangerous file types via anonymous media.

addresses: CWE-913

Requiring explicit authorization and ongoing control of mobile code implements proper management of dynamically loaded code resources.

addresses: CWE-434

Dangerous file uploads can be detonated in the chamber to determine malice before any production write or execution occurs.

addresses: CWE-434

Prevents unrestricted writing of arbitrary or malicious firmware by keeping hardware write-protect enabled except under tightly controlled manual procedures.

addresses: CWE-434

Scans files from external sources on download/open/execute, blocking unrestricted uploads of dangerous file types.

References