CVE-2023-50386
Published: 09 February 2024
Summary
CVE-2023-50386 is a high-severity Unrestricted Upload of File with Dangerous Type (CWE-434) vulnerability in Apache Solr. Its CVSS base score is 8.8 (High).
Operationally, ranked in the top 0.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
Apache Solr versions 6.0.0 through 8.11.2 and 9.0.0 before 9.4.1 contain an improper control of dynamically-managed code resources vulnerability, also described as unrestricted upload of files with dangerous types and inclusion of functionality from an untrusted control sphere. In these releases the ConfigSets API accepts Java jar and class files, which are persisted to disk during collection backups that use the default LocalFileSystemRepository; when the backup target lies on a ClassPath or ClassLoader directory, the uploaded artifacts become loadable by any ConfigSet.
An authenticated user who can invoke both the ConfigSets API and the Backup API can therefore place executable code where it will be available to trusted or untrusted configurations alike. When Solr is operated with authorization enabled, the impact is narrowed to an extension of backup privileges that permits addition of arbitrary libraries.
Official guidance from the Apache Solr security page and the coordinated oss-security disclosure recommends immediate upgrade to 8.11.3 or 9.4.1. These releases block upload of files that a Java ClassLoader can execute and restrict the Backup API from writing into ClassLoader directories. The EPSS score has remained near its observed peak of 0.8882 with a current value of 0.8684.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-0481
Vulnerability details
Improper Control of Dynamically-Managed Code Resources, Unrestricted Upload of File with Dangerous Type, Inclusion of Functionality from Untrusted Control Sphere vulnerability in Apache Solr.This issue affects Apache Solr: from 6.0.0 through 8.11.2, from 9.0.0 before 9.4.1. In the affected versions,…
more
Solr ConfigSets accepted Java jar and class files to be uploaded through the ConfigSets API. When backing up Solr Collections, these configSet files would be saved to disk when using the LocalFileSystemRepository (the default for backups). If the backup was saved to a directory that Solr uses in its ClassPath/ClassLoaders, then the jar and class files would be available to use with any ConfigSet, trusted or untrusted. When Solr is run in a secure way (Authorization enabled), as is strongly suggested, this vulnerability is limited to extending the Backup permissions with the ability to add libraries. Users are recommended to upgrade to version 8.11.3 or 9.4.1, which fix the issue. In these versions, the following protections have been added: * Users are no longer able to upload files to a configSet that could be executed via a Java ClassLoader. * The Backup API restricts saving backups to directories that are used in the ClassLoader.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Requiring identifiable owners for portable devices reduces the attack surface for unrestricted uploads of dangerous file types via anonymous media.
Requiring explicit authorization and ongoing control of mobile code implements proper management of dynamically loaded code resources.
Dangerous file uploads can be detonated in the chamber to determine malice before any production write or execution occurs.
Prevents unrestricted writing of arbitrary or malicious firmware by keeping hardware write-protect enabled except under tightly controlled manual procedures.
Scans files from external sources on download/open/execute, blocking unrestricted uploads of dangerous file types.