Improper Authentication vulnerability in Apache Solr. Solr instances using the PKIAuthenticationPlugin, which is enabled by default when Solr Authentication is used, are vulnerable to Authentication bypass. A fake ending at the end of any Solr API URL path, will allow requests to skip Authentication while maintaining the API contract with the original URL Path. This fake ending looks like an unprotected API path, however it is stripped off internally after authentication but before API routing. This issue affects Apache Solr: from 5.3.0 before 8.11.4, from 9.0.0 before 9.7.0. Users are recommended to upgrade to version 9.7.0, or 8.11.4, which fix the issue.
History

Fri, 22 Nov 2024 12:00:00 +0000

Type Values Removed Values Added
References

Thu, 17 Oct 2024 17:15:00 +0000

Type Values Removed Values Added
First Time appeared Apache
Apache solr
CPEs cpe:2.3:a:apache_software_foundation:apache_solr:*:*:*:*:*:*:*:* cpe:2.3:a:apache:solr:*:*:*:*:*:*:*:*
Vendors & Products Apache Software Foundation
Apache Software Foundation apache Solr
Apache
Apache solr

Wed, 16 Oct 2024 17:15:00 +0000

Type Values Removed Values Added
First Time appeared Apache Software Foundation
Apache Software Foundation apache Solr
Weaknesses CWE-863
CPEs cpe:2.3:a:apache_software_foundation:apache_solr:*:*:*:*:*:*:*:*
Vendors & Products Apache Software Foundation
Apache Software Foundation apache Solr
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Wed, 16 Oct 2024 08:00:00 +0000

Type Values Removed Values Added
Description Improper Authentication vulnerability in Apache Solr. Solr instances using the PKIAuthenticationPlugin, which is enabled by default when Solr Authentication is used, are vulnerable to Authentication bypass. A fake ending at the end of any Solr API URL path, will allow requests to skip Authentication while maintaining the API contract with the original URL Path. This fake ending looks like an unprotected API path, however it is stripped off internally after authentication but before API routing. This issue affects Apache Solr: from 5.3.0 before 8.11.4, from 9.0.0 before 9.7.0. Users are recommended to upgrade to version 9.7.0, or 8.11.4, which fix the issue.
Title Apache Solr: Authentication bypass possible using a fake URL Path ending
Weaknesses CWE-287
References

cve-icon MITRE

Status: PUBLISHED

Assigner: apache

Published: 2024-10-16T07:50:25.965Z

Updated: 2024-11-08T04:55:08.457Z

Reserved: 2024-08-23T17:15:16.710Z

Link: CVE-2024-45216

cve-icon Vulnrichment

Updated: 2024-10-16T08:03:35.785Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2024-10-16T08:15:05.233

Modified: 2024-11-21T09:37:28.690

Link: CVE-2024-45216

cve-icon Redhat

No data.