CVE-2023-50291

CWE-522Insufficiently Protected Credentials7 documents6 sources
Severity
7.5HIGH
EPSS
3.1%
top 13.24%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Apache Software Foundation Apache SolrApache Solr
Timeline
PublishedFeb 9

Description

Insufficiently Protected Credentials vulnerability in Apache Solr. This issue affects Apache Solr: from 6.0.0 through 8.11.2, from 9.0.0 before 9.3.0. One of the two endpoints that publishes the Solr process' Java system properties, /admin/info/properties, was only setup to hide system properties that had "password" contained in the name. There are a number of sensitive system properties, such as "basicauth" and "aws.secretKey" do not contain "password", thus their values were published via the

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages4 packages

NVDapache/solr6.0.08.11.3+1
Mavenorg.apache.solr:solr-core6.0.08.11.3+1
CVEListV5apache_software_foundation/apache_solr9.0.09.3.0+1
Debianlucene-solr< 3.6.2+dfsg-23+3

🔴Vulnerability Details

4
OSV
CVE-2023-50291: Insufficiently Protected Credentials vulnerability in Apache Solr2024-02-09
OSV
Apache Solr can leak certain passwords due to System Property redaction logic inconsistencies2024-02-09
GHSA
Apache Solr can leak certain passwords due to System Property redaction logic inconsistencies2024-02-09
CVEList
Apache Solr: System Property redaction logic inconsistency can lead to leaked passwords2024-02-09

📋Vendor Advisories

2
Red Hat
solr: system property redaction logic inconsistency can lead to leaked passwords2024-02-09
Debian
CVE-2023-50291: lucene-solr - Insufficiently Protected Credentials vulnerability in Apache Solr. This issue a...2023
CVE-2023-50291 (HIGH CVSS 7.5) | Insufficiently Protected Credential | cvebase.io