CVE-2024-45216
Published: 16 October 2024
Summary
CVE-2024-45216 is a critical-severity Improper Authentication (CWE-287) vulnerability in Apache Solr. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 0.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
Apache Solr contains an improper authentication vulnerability in the PKIAuthenticationPlugin, which is enabled by default whenever Solr authentication is configured. The flaw affects versions 5.3.0 through 8.11.3 and 9.0.0 through 9.6.1. An attacker can append a fabricated path segment to any Solr API URL that mimics an unauthenticated endpoint; the server accepts the request without credentials, strips the segment internally, and then routes the original protected path, bypassing authentication entirely.
Because the vulnerability is exploitable over the network without credentials or user interaction, a remote attacker can reach any API functionality that would normally require authentication, resulting in full compromise of the Solr instance including data access, modification, and deletion.
The Apache Solr security advisory recommends immediate upgrade to 8.11.4 or 9.7.0. The associated OpenWall disclosure reiterates the same fixed releases and notes that no workarounds are available.
The EPSS score has reached 0.94, indicating substantial exploitation interest following disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-3084
Vulnerability details
Improper Authentication vulnerability in Apache Solr. Solr instances using the PKIAuthenticationPlugin, which is enabled by default when Solr Authentication is used, are vulnerable to Authentication bypass. A fake ending at the end of any Solr API URL path, will allow…
more
requests to skip Authentication while maintaining the API contract with the original URL Path. This fake ending looks like an unprotected API path, however it is stripped off internally after authentication but before API routing. This issue affects Apache Solr: from 5.3.0 before 8.11.4, from 9.0.0 before 9.7.0. Users are recommended to upgrade to version 9.7.0, or 8.11.4, which fix the issue.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Session content review can reveal authentication bypasses or failures in session establishment.
Assessments check authentication mechanisms for correct implementation and effectiveness, reducing successful authentication bypass attempts.
Identity providers centralize and enforce authentication mechanisms, reducing improper authentication.
Enforces correct authorization checks during the identifier assignment process.
Personnel screening, identity verification, and access-agreement requirements support reliable authentication and reduce authentication bypass opportunities.
Decoy authentication surfaces detect bypass attempts and deflect real credential attacks through observable malicious interactions.
Periodic review and update of procedures reduces incorrect authorization implementations over time.
Supervision identifies cases where authorization logic incorrectly permits unauthorized actions.