Improper Authentication vulnerability in Apache Solr.
Solr instances using the PKIAuthenticationPlugin, which is enabled by default when Solr Authentication is used, are vulnerable to Authentication bypass.
A fake ending at the end of any Solr API URL path, will allow requests to skip Authentication while maintaining the API contract with the original URL Path.
This fake ending looks like an unprotected API path, however it is stripped off internally after authentication but before API routing.
This issue affects Apache Solr: from 5.3.0 before 8.11.4, from 9.0.0 before 9.7.0.
Users are recommended to upgrade to version 9.7.0, or 8.11.4, which fix the issue.
Metrics
Affected Vendors & Products
References
History
Fri, 22 Nov 2024 12:00:00 +0000
Type | Values Removed | Values Added |
---|---|---|
References |
|
Thu, 17 Oct 2024 17:15:00 +0000
Type | Values Removed | Values Added |
---|---|---|
First Time appeared |
Apache
Apache solr |
|
CPEs | cpe:2.3:a:apache:solr:*:*:*:*:*:*:*:* | |
Vendors & Products |
Apache Software Foundation
Apache Software Foundation apache Solr |
Apache
Apache solr |
Wed, 16 Oct 2024 17:15:00 +0000
Type | Values Removed | Values Added |
---|---|---|
First Time appeared |
Apache Software Foundation
Apache Software Foundation apache Solr |
|
Weaknesses | CWE-863 | |
CPEs | cpe:2.3:a:apache_software_foundation:apache_solr:*:*:*:*:*:*:*:* | |
Vendors & Products |
Apache Software Foundation
Apache Software Foundation apache Solr |
|
Metrics |
cvssV3_1
|
Wed, 16 Oct 2024 08:00:00 +0000
Type | Values Removed | Values Added |
---|---|---|
Description | Improper Authentication vulnerability in Apache Solr. Solr instances using the PKIAuthenticationPlugin, which is enabled by default when Solr Authentication is used, are vulnerable to Authentication bypass. A fake ending at the end of any Solr API URL path, will allow requests to skip Authentication while maintaining the API contract with the original URL Path. This fake ending looks like an unprotected API path, however it is stripped off internally after authentication but before API routing. This issue affects Apache Solr: from 5.3.0 before 8.11.4, from 9.0.0 before 9.7.0. Users are recommended to upgrade to version 9.7.0, or 8.11.4, which fix the issue. | |
Title | Apache Solr: Authentication bypass possible using a fake URL Path ending | |
Weaknesses | CWE-287 | |
References |
|
MITRE
Status: PUBLISHED
Assigner: apache
Published: 2024-10-16T07:50:25.965Z
Updated: 2024-11-08T04:55:08.457Z
Reserved: 2024-08-23T17:15:16.710Z
Link: CVE-2024-45216
Vulnrichment
Updated: 2024-10-16T08:03:35.785Z
NVD
Status : Awaiting Analysis
Published: 2024-10-16T08:15:05.233
Modified: 2024-11-21T09:37:28.690
Link: CVE-2024-45216
Redhat
No data.