cbcvebase.
CVE-2024-45216
published 2024-10-16

CVE-2024-45216: Improper Authentication vulnerability in Apache Solr. Solr instances using the PKIAuthenticationPlugin, which is enabled by default when Solr Authentication is…

PriorityP191critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
90.71%
99.8th percentile
Improper Authentication vulnerability in Apache Solr. Solr instances using the PKIAuthenticationPlugin, which is enabled by default when Solr Authentication is used, are vulnerable to Authentication bypass. A fake ending at the end of any Solr API URL path, will allow requests to skip Authentication while maintaining the API contract with the original URL Path. This fake ending looks like an unprotected API path, however it is stripped off internally after authentication but before API routing. This issue affects Apache Solr: from 5.3.0 before 8.11.4, from 9.0.0 before 9.7.0. Users are recommended to upgrade to version 9.7.0, or 8.11.4, which fix the issue.

Affected

5 ranges
VendorProductVersion rangeFixed in
apachesolr>= 5.3.0 < 8.11.48.11.4
apachesolr>= 9.0.0 < 9.7.09.7.0
apache_software_foundationapache_solr>= 5.3.0 < 8.11.48.11.4
apache_software_foundationapache_solr>= 9.0.0 < 9.7.09.7.0
debianlucene-solr

Detection & IOCsextracted from sources · hover to see the quote

url/solr/admin/info/properties:/admin/info/key
  • Look for HTTP requests to Solr API paths that contain a colon-separated fake suffix resembling an unprotected API path (e.g., `/solr/<collection>/<api>:/<fake_path>`). This is the bypass pattern where a fake ending is appended to a protected API URL.
  • Match HTTP responses from Solr containing all of: `responseHeader`, `system.properties`, `solr.script`, and `solr.solr.home` in the body with a 200 status and `application/json` content-type — this indicates successful unauthenticated access to sensitive properties.
  • Use Shodan query `http.html:"Apache Solr"` to identify exposed Apache Solr instances potentially vulnerable to this authentication bypass.
  • The vulnerability affects PKIAuthenticationPlugin, which is enabled by default when Solr Authentication is used. Monitor for unauthenticated requests reaching protected API endpoints on Apache Solr versions 5.3.0–8.11.3 and 9.0.0–9.6.x.
  • ·The bypass only works when Solr Authentication is enabled (which activates PKIAuthenticationPlugin by default). Solr instances without authentication configured are not affected by this specific bypass vector.
  • ·The fake path suffix is stripped off internally after authentication but before API routing, meaning the malicious request still receives a valid API response — detections based solely on 404s or routing errors will miss this attack.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
osv9.8CRITICAL
vulncheck9.8CRITICAL
vendor_debian9.8LOW
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.