CVE-2024-45217Initialization of a Resource with an Insecure Default in Software Foundation Apache Solr

CWE-1188Initialization of a Resource with an Insecure Default6 documents5 sources
Severity
8.1HIGHNVD
EPSS
0.1%
top 65.44%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Apache Software Foundation Apache SolrApache Solr
Timeline
PublishedOct 16

Description

Insecure Default Initialization of Resource vulnerability in Apache Solr. New ConfigSets that are created via a Restore command, which copy a configSet from the backup and give it a new name, are created without setting the "trusted" metadata. ConfigSets that do not contain the flag are trusted implicitly if the metadata is missing, therefore this leads to "trusted" ConfigSets that may not have been created with an Authenticated request. "trusted" ConfigSets are able to load custom code into cl

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:NExploitability: 2.8 | Impact: 5.2

Affected Packages2 packages

NVDapache/solr6.6.08.11.4+1
CVEListV5apache_software_foundation/apache_solr6.6.08.11.4+1

🔴Vulnerability Details

4
CVEList
Apache Solr: ConfigSets created during a backup restore command are trusted implicitly2024-10-16
OSV
Insecure Default Initialization of Resource vulnerability in Apache Solr2024-10-16
GHSA
Insecure Default Initialization of Resource vulnerability in Apache Solr2024-10-16
OSV
CVE-2024-45217: Insecure Default Initialization of Resource vulnerability in Apache Solr2024-10-16

📋Vendor Advisories

1
Debian
CVE-2024-45217: lucene-solr - Insecure Default Initialization of Resource vulnerability in Apache Solr. New C...2024
CVE-2024-45217 — HIGH severity | cvebase