CVE-2024-45216

Published Oct 16, 2024

Last updated 10 months ago

CVSS critical 9.8

Overview

Description
Improper Authentication vulnerability in Apache Solr. Solr instances using the PKIAuthenticationPlugin, which is enabled by default when Solr Authentication is used, are vulnerable to Authentication bypass. A fake ending at the end of any Solr API URL path, will allow requests to skip Authentication while maintaining the API contract with the original URL Path. This fake ending looks like an unprotected API path, however it is stripped off internally after authentication but before API routing. This issue affects Apache Solr: from 5.3.0 before 8.11.4, from 9.0.0 before 9.7.0. Users are recommended to upgrade to version 9.7.0, or 8.11.4, which fix the issue.
Source
security@apache.org
NVD status
Analyzed
Products
solr

Risk scores

CVSS 3.1

Type
Secondary
Base score
9.8
Impact score
5.9
Exploitability score
3.9
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Severity
CRITICAL

Weaknesses

security@apache.org
CWE-287
134c704f-9b21-4f2e-91b3-4a467353bcc0
CWE-863

Social media

Hype score
Not currently trending

  1. CVE-2024-45216 Improper Authentication vulnerability in Apache Solr. Solr instances using the PKIAuthenticationPlugin, which is enabled by default when Solr Authentication is used,… https://t.co/jqDDjXXSQI

    @CVEnew

    470 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  2. Warning: Critical Improper Authentication (#CVE-2024-45216 / CVSS: 9.8) and Insecure Default Initialization of Resource (CVE-2024-45217 / CVSS: 8.1) vulnerability in @ApacheSolr. Vulnerabilities can lead to auth bypass & unauthorized code execution! #Patch https://t.co/lOBeRf

    @CCBalert

    252 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  3. Apache Solr has an authentication bypass vulnerability (CVE-2024-45216), publicly disclosed on October 16, 2024, with a high impact level and a CVSS 3.1 score of 7.5 #apache #cve #vulnerability #darkweb #darkwebnews https://t.co/8s2JiSibY1

    @darkwebinsight

    69 Impressions

    1 Retweet

    2 Likes

    1 Bookmark

    0 Replies

    1 Quote

  4. 🗣 CVE-2024-45216: Critical Authentication Bypass Vulnerability Patched in Apache Solr https://t.co/6FvJHxCJyT

    @fridaysecurity

    94 Impressions

    0 Retweets

    2 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  5. 🚨🚨CVE-2024-45216: Apache Solr: Authentication bypass possible using a fake URL Path ending ⚠️This flaw could allow attackers to execute commands and access data without proper credentials, potentially leading to data breaches and system compromise. ZoomEye Dork👉app:"Apache… h

    @zoomeye_team

    490 Impressions

    0 Retweets

    5 Likes

    1 Bookmark

    0 Replies

    0 Quotes

  6. Critical Authentication Bypass Vulnerability Patched in #Apache Solr Protect your organization from the risks of CVE-2024-45216 & CVE-2024-45217, two critical vulnerabilities in #ApacheSolr https://t.co/F3AwnNRA0i

    @the_yellow_fall

    543 Impressions

    5 Retweets

    12 Likes

    1 Bookmark

    0 Replies

    0 Quotes

  7. Apache Solr fixes Critical Vulnerability CVE-2024-45216 #ApacheSolr #CVE-2024-45216 #CVE-2024-45217 https://t.co/C0Yd9VvJJB

    @pravin_karthik

    30 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  8. Analysis of Apache Solr's latest authentication bypass vulnerability CVE-2024-45216 https://t.co/MlDFehHQsw

    @Dinosn

    12 Nov 2024

    1414 Impressions

    0 Retweets

    4 Likes

    4 Bookmarks

    0 Replies

    0 Quotes

  9. cve-2024-45216 https://t.co/gfhKrfxmEp

    @kang9693na25429

    8 Nov 2024

    17 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  10. Top 5 Trending CVEs: 1 - CVE-2024-45216 2 - CVE-2024-38821 3 - CVE-2023-23397 4 - CVE-2024-51378 5 - CVE-2024-46538 #cve #cvetrends #cveshield #cybersecurity https://t.co/4Fua3CAN6W

    @CVEShield

    2 Nov 2024

    88 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  11. LadonExp CVE-2024-45216 漏洞批量扫描教程 https://t.co/HbaFg1cn1N https://t.co/TQQkHE2SDD

    @buaqbot

    1 Nov 2024

    74 Impressions

    1 Retweet

    4 Likes

    3 Bookmarks

    0 Replies

    0 Quotes

  12. 🚀Detect Apache Solr Authentication Bypass (CVE-2024-45216) with @pdnuclei Template: https://t.co/0vO0wA7gja Research by https://t.co/SwKLQBnnGW #hackwithautomation #bugbounty #cybersecurity https://t.co/pK9VM08X4T

    @DhiyaneshDK

    1 Nov 2024

    7663 Impressions

    19 Retweets

    132 Likes

    67 Bookmarks

    0 Replies

    0 Quotes

  13. Apache Solr の認証バイパスの脆弱性 CVE-2024-45216 が FIX:ただちにをパッチを! https://t.co/2Q2F5MLhvX #Apache #OpenSource #Solr

    @iototsecnews

    25 Oct 2024

    30 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  14. CVE-2024-45216 (CVSS:9.8, CRITICAL) is Awaiting Analysis. Improper Authentication vulnerability in Apache Solr. Solr instances using the PKIAuthenticationPlugin, which is enable..https://t.co/EpHXIRmyI4 #cybersecurityawareness #cybersecurity #CVE #infosec #hacker #nvd #mitre

    @cracbot

    21 Oct 2024

    3 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

Configurations

Related CVEs

  1. Deployments of Apache Solr 5.3.0 through 9.10.0 that rely on Solr's "Rule Based Authorization Plugin" are vulnerable to allowing unauthorized access to certain Solr APIs, due to insufficiently strict input validation in those components.  Only deployments that meet all of the following criteria are impacted by this vulnerability: * Use of Solr's "RuleBasedAuthorizationPlugin" * A RuleBasedAuthorizationPlugin config (see security.json) that specifies multiple "roles" * A RuleBasedAuthorizationPlugin permission list (see security.json) that uses one or more of the following pre-defined permission rules: "config-read", "config-edit", "schema-read", "metrics-read", or "security-read". * A RuleBasedAuthorizationPlugin permission list that doesn't define the "all" pre-defined permission * A networking setup that allows clients to make unfiltered network requests to Solr. (i.e. user-submitted HTTP/HTTPS requests reach Solr as-is, unmodified or restricted by any intervening proxy or gateway) Users can mitigate this vulnerability by ensuring that their RuleBasedAuthorizationPlugin configuration specifies the "all" pre-defined permission and associates the permission with an "admin" or other privileged role.  Users can also upgrade to a Solr version outside of the impacted range, such as the recently released Solr 9.10.1.CVE-2026-22022
  2. The "create core" API of Apache Solr 8.6 through 9.10.0 lacks sufficient input validation on some API parameters, which can cause Solr to check the existence of and attempt to read file-system paths that should be disallowed by Solr's "allowPaths" security setting https://https://solr.apache.org/guide/solr/latest/configuration-guide/configuring-solr-xml.html#the-solr-element .  These read-only accesses can allow users to create cores using unexpected configsets if any are accessible via the filesystem.  On Windows systems configured to allow UNC paths this can additionally cause disclosure of NTLM "user" hashes.  Solr deployments are subject to this vulnerability if they meet the following criteria: * Solr is running in its "standalone" mode. * Solr's "allowPath" setting is being used to restrict file access to certain directories. * Solr's "create core" API is exposed and accessible to untrusted users.  This can happen if Solr's RuleBasedAuthorizationPlugin https://solr.apache.org/guide/solr/latest/deployment-guide/rule-based-authorization-plugin.html is disabled, or if it is enabled but the "core-admin-edit" predefined permission (or an equivalent custom permission) is given to low-trust (i.e. non-admin) user roles. Users can mitigate this by enabling Solr's RuleBasedAuthorizationPlugin (if disabled) and configuring a permission-list that prevents untrusted users from creating new Solr cores.  Users should also upgrade to Apache Solr 9.10.1 or greater, which contain fixes for this issue.CVE-2026-22444
  3. Relative Path Traversal vulnerability in Apache Solr. Solr instances running on Windows are vulnerable to arbitrary filepath write-access, due to a lack of input-sanitation in the "configset upload" API.  Commonly known as a "zipslip", maliciously constructed ZIP files can use relative filepaths to write data to unanticipated parts of the filesystem.   This issue affects Apache Solr: from 6.6 through 9.7.0. Users are recommended to upgrade to version 9.8.0, which fixes the issue.  Users unable to upgrade may also safely prevent the issue by using Solr's "Rule-Based Authentication Plugin" to restrict access to the configset upload API, so that it can only be accessed by a trusted set of administrators/users.CVE-2024-52012
  4. Core creation allows users to replace "trusted" configset files with arbitrary configuration Solr instances that (1) use the "FileSystemConfigSetService" component (the default in "standalone" or "user-managed" mode), and (2) are running without authentication and authorization are vulnerable to a sort of privilege escalation wherein individual "trusted" configset files can be ignored in favor of potentially-untrusted replacements available elsewhere on the filesystem.  These replacement config files are treated as "trusted" and can use "<lib>" tags to add to Solr's classpath, which an attacker might use to load malicious code as a searchComponent or other plugin. This issue affects all Apache Solr versions up through Solr 9.7.  Users can protect against the vulnerability by enabling authentication and authorization on their Solr clusters or switching to SolrCloud (and away from "FileSystemConfigSetService").  Users are also recommended to upgrade to Solr 9.8.0, which mitigates this issue by disabling use of "<lib>" tags by default.CVE-2025-24814
  5. Insecure Default Initialization of Resource vulnerability in Apache Solr. New ConfigSets that are created via a Restore command, which copy a configSet from the backup and give it a new name, are created without setting the "trusted" metadata. ConfigSets that do not contain the flag are trusted implicitly if the metadata is missing, therefore this leads to "trusted" ConfigSets that may not have been created with an Authenticated request. "trusted" ConfigSets are able to load custom code into classloaders, therefore the flag is supposed to only be set when the request that uploads the ConfigSet is Authenticated & Authorized. This issue affects Apache Solr: from 6.6.0 before 8.11.4, from 9.0.0 before 9.7.0. This issue does not affect Solr instances that are secured via Authentication/Authorization. Users are primarily recommended to use Authentication and Authorization when running Solr. However, upgrading to version 9.7.0, or 8.11.4 will mitigate this issue otherwise.CVE-2024-45217

References

Sources include official advisories and independent security research.