You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@solr.apache.org by ho...@apache.org on 2024/01/12 19:43:44 UTC
(solr-site) branch main updated: Add CVE-2023-50290 notice
This is an automated email from the ASF dual-hosted git repository.
houston pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/solr-site.git
The following commit(s) were added to refs/heads/main by this push:
new 2f7b86e5d Add CVE-2023-50290 notice
2f7b86e5d is described below
commit 2f7b86e5de999965cb6a45990d3dea294696c4b3
Author: Houston Putman <ho...@apache.org>
AuthorDate: Fri Jan 12 13:43:30 2024 -0600
Add CVE-2023-50290 notice
---
content/solr/security/2024-01-12-cve-2023-50290.md | 22 ++++++++++++++++++++++
1 file changed, 22 insertions(+)
diff --git a/content/solr/security/2024-01-12-cve-2023-50290.md b/content/solr/security/2024-01-12-cve-2023-50290.md
new file mode 100644
index 000000000..750f82745
--- /dev/null
+++ b/content/solr/security/2024-01-12-cve-2023-50290.md
@@ -0,0 +1,22 @@
+Title: Apache Solr allows read access to host environment variables
+category: solr/security
+cve: CVE-2023-50290
+
+**Versions Affected:**
+Solr 9.0 to 9.2.1
+
+**Description:**
+Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache Solr.
+The Solr Metrics API publishes all unprotected environment variables available to each Apache Solr instance.
+Users are able to specify which environment variables to hide, however, the default list is designed to work for known secret Java system properties.
+Environment variables cannot be strictly defined in Solr, like Java system properties can be, and may be set for the entire host, unlike Java system properties which are set per-Java-process.
+
+The Solr Metrics API is protected by the "metrics-read" permission.
+Therefore, Solr Clouds with Authorization setup will only be vulnerable via users with the "metrics-read" permission.
+
+**Mitigation:**
+Users are recommended to upgrade to version 9.3.0 or later, in which environment variables are not published via the Metrics API.
+
+**References:**
+https://nvd.nist.gov/vuln/detail/CVE-2023-50290
+https://issues.apache.org/jira/browse/SOLR-16808