CVE-2023-50298: Apache Solr: Solr can expose ZooKeeper credentials via Streaming Expressions
First published: Fri Feb 09 2024(Updated: )
Apache Solr could allow a remote attacker to obtain sensitive information, caused by an exposure of sensitive information to an unauthorized actor vulnerability. By using Streaming Expressions, an attacker could exploit his vulnerability to extract data from other Solr Clouds using a zkHost parameter and expose ZooKeeper credentials.
Credit: security@apache.org security@apache.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Apache Solr | >=6.0.0<8.11.3 | |
| Apache Solr | >=9.0.0<9.4.1 | |
| maven/org.apache.solr:solr-solrj | >=6.0.0<8.11.3 | 8.11.3 |
| maven/org.apache.solr:solr-solrj | >=9.0.0<9.4.1 | 9.4.1 |
| maven/org.apache.solr:solr-solrj-streaming | >=6.0.0<8.11.3 | 8.11.3 |
| maven/org.apache.solr:solr-solrj-streaming | >=9.0.0<9.4.1 | 9.4.1 |
| IBM Cognos Analytics | <=12.0.0-12.0.3 | |
| IBM Cognos Analytics | <=11.2.0-11.2.4 FP4 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://solr.apache.org/security.html#cve-2023-50298-apache-solr-can-expose-zookeeper-credentials-via-streaming-expressions
- http://www.openwall.com/lists/oss-security/2024/02/09/3
- http://www.openwall.com/lists/oss-security/2024/02/09/2
- https://nvd.nist.gov/vuln/detail/CVE-2023-50298
- https://github.com/apache/solr/commit/e2bf1f434aad873fbb24c21d46ac00e888806d98
- https://github.com/apache/lucene-solr/commit/61c956c426b2cfb85ccef55d1afca4335eacd269
- https://issues.apache.org/jira/browse/SOLR-17098
- https://github.com/advisories/GHSA-xrj7-x7gp-wwqr (Advisory)
- https://www.ibm.com/support/pages/node/7177223 (Advisory)
- agent/title
- agent/first-publish-date
- agent/type
- collector/oss-sec
- source/oss-sec
- alias/CVE-2023-50298
- agent/author
- collector/epss-latest
- source/FIRST
- agent/epss
- collector/mitre-cve
- source/MITRE
- collector/nvd-api
- source/NVD
- agent/software-canonical-lookup
- agent/weakness
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-xrj7-x7gp-wwqr
- agent/severity
- agent/event
- collector/nvd-cve
- collector/github-advisory
- collector/ibm-support
- source/IBM
- agent/last-modified-date
- agent/references
- agent/softwarecombine
- agent/tags
- agent/description
- agent/trending
- vendor/apache
- canonical/apache solr
- version/apache solr/6.0.0
- version/apache solr/9.0.0
- package-manager/maven
- vendor/ibm
- canonical/ibm cognos analytics
- version/ibm cognos analytics/12.0.0-12.0.3
- version/ibm cognos analytics/11.2.0-11.2.4 fp4