Apache Solr vulnerabilities

CVE-2026-22022 [HIGH] CWE-285 CVE-2026-22022: Deployments of Apache Solr 5.3.0 through 9.10.0 that rely on Solr's "Rule Based Authorization Plugin Deployments of Apache Solr 5.3.0 through 9.10.0 that rely on Solr's "Rule Based Authorization Plugin" are vulnerable to allowing unauthorized access to certain Solr APIs, due to insufficiently strict input validation in those components. Only deployments that meet all of the following criteria are impacted by this vulnerability: * Use of Solr's "Rule

CVE-2026-22444 [HIGH] CWE-20 CVE-2026-22444: The "create core" API of Apache Solr 8.6 through 9.10.0 lacks sufficient input validation on some AP The "create core" API of Apache Solr 8.6 through 9.10.0 lacks sufficient input validation on some API parameters, which can cause Solr to check the existence of and attempt to read file-system paths that should be disallowed by Solr's "allowPaths" security setting https://https://solr.apache.org/guide/solr/latest/configuration-guide/configuring-solr-xm

CVE-2024-52012 [MEDIUM] CWE-23 CVE-2024-52012: Relative Path Traversal vulnerability in Apache Solr. Solr instances running on Windows are vulnera Relative Path Traversal vulnerability in Apache Solr. Solr instances running on Windows are vulnerable to arbitrary filepath write-access, due to a lack of input-sanitation in the "configset upload" API. Commonly known as a "zipslip", maliciously constructed ZIP files can use relative filepaths to write data to unanticipated parts of the filesystem.

CVE-2025-24814 [MEDIUM] CWE-250 CVE-2025-24814: Core creation allows users to replace "trusted" configset files with arbitrary configuration Solr i Core creation allows users to replace "trusted" configset files with arbitrary configuration Solr instances that (1) use the "FileSystemConfigSetService" component (the default in "standalone" or "user-managed" mode), and (2) are running without authentication and authorization are vulnerable to a sort of privilege escalation wherein individual "tr

CVE-2024-45216 [CRITICAL] CWE-287 CVE-2024-45216: Improper Authentication vulnerability in Apache Solr. Solr instances using the PKIAuthenticationPlu Improper Authentication vulnerability in Apache Solr. Solr instances using the PKIAuthenticationPlugin, which is enabled by default when Solr Authentication is used, are vulnerable to Authentication bypass. A fake ending at the end of any Solr API URL path, will allow requests to skip Authentication while maintaining the API contract with the ori

CVE-2024-45217 [HIGH] CWE-1188 CVE-2024-45217: Insecure Default Initialization of Resource vulnerability in Apache Solr. New ConfigSets that are c Insecure Default Initialization of Resource vulnerability in Apache Solr. New ConfigSets that are created via a Restore command, which copy a configSet from the backup and give it a new name, are created without setting the "trusted" metadata. ConfigSets that do not contain the flag are trusted implicitly if the metadata is missing, therefore this l

CVE-2023-50292 [HIGH] CWE-732 CVE-2023-50292: Incorrect Permission Assignment for Critical Resource, Improper Control of Dynamically-Managed Code Incorrect Permission Assignment for Critical Resource, Improper Control of Dynamically-Managed Code Resources vulnerability in Apache Solr. This issue affects Apache Solr: from 8.10.0 through 8.11.2, from 9.0.0 before 9.3.0. The Schema Designer was introduced to allow users to more easily configure and test new Schemas and configSets. However, when t

CVE-2023-50386 [HIGH] CWE-434 CVE-2023-50386: Improper Control of Dynamically-Managed Code Resources, Unrestricted Upload of File with Dangerous T Improper Control of Dynamically-Managed Code Resources, Unrestricted Upload of File with Dangerous Type, Inclusion of Functionality from Untrusted Control Sphere vulnerability in Apache Solr.This issue affects Apache Solr: from 6.0.0 through 8.11.2, from 9.0.0 before 9.4.1. In the affected versions, Solr ConfigSets accepted Java jar and class files t

CVE-2023-50298 [HIGH] CWE-200 CVE-2023-50298: Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache Solr.This issue a Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache Solr.This issue affects Apache Solr: from 6.0.0 through 8.11.2, from 9.0.0 before 9.4.1. Solr Streaming Expressions allows users to extract data from other Solr Clouds, using a "zkHost" parameter. When original SolrCloud is setup to use ZooKeeper credentials and ACLs,

CVE-2023-50291 [HIGH] CWE-522 CVE-2023-50291: Insufficiently Protected Credentials vulnerability in Apache Solr. This issue affects Apache Solr: Insufficiently Protected Credentials vulnerability in Apache Solr. This issue affects Apache Solr: from 6.0.0 through 8.11.2, from 9.0.0 before 9.3.0. One of the two endpoints that publishes the Solr process' Java system properties, /admin/info/properties, was only setup to hide system properties that had "password" contained in the name. There are a

CVE-2023-50290 [MEDIUM] CWE-200 CVE-2023-50290: Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache Solr. The Solr Me Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache Solr. The Solr Metrics API publishes all unprotected environment variables available to each Apache Solr instance. Users are able to specify which environment variables to hide, however, the default list is designed to work for known secret Java system properties. Env

CVE-2023-44487 [HIGH] CWE-400 CVE-2023-44487: The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancell The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.

CVE-2021-44548 [CRITICAL] CWE-20 CVE-2021-44548: An Improper Input Validation vulnerability in DataImportHandler of Apache Solr allows an attacker to An Improper Input Validation vulnerability in DataImportHandler of Apache Solr allows an attacker to provide a Windows UNC path resulting in an SMB network call being made from the Solr host to another host on the network. If the attacker has wider access to the network, this may lead to SMB attacks, which may result in: * The exfiltration of sensi

CVE-2021-33813 [HIGH] CWE-611 CVE-2021-33813: An XXE issue in SAXBuilder in JDOM through 2.0.6 allows attackers to cause a denial of service via a An XXE issue in SAXBuilder in JDOM through 2.0.6 allows attackers to cause a denial of service via a crafted HTTP request.

CVE-2021-27905 [CRITICAL] CWE-918 CVE-2021-27905: The ReplicationHandler (normally registered at "/replication" under a Solr core) in Apache Solr has The ReplicationHandler (normally registered at "/replication" under a Solr core) in Apache Solr has a "masterUrl" (also "leaderUrl" alias) parameter that is used to designate another ReplicationHandler on another Solr core to replicate index data into the local core. To prevent a SSRF vulnerability, Solr ought to check these parameters against a si

CVE-2021-29943 [CRITICAL] CWE-863 CVE-2021-29943: When using ConfigurableInternodeAuthHadoopPlugin for authentication, Apache Solr versions prior to 8 When using ConfigurableInternodeAuthHadoopPlugin for authentication, Apache Solr versions prior to 8.8.2 would forward/proxy distributed requests using server credentials instead of original client credentials. This would result in incorrect authorization resolution on the receiving hosts.

CVE-2021-29262 [HIGH] CWE-522 CVE-2021-29262: When starting Apache Solr versions prior to 8.8.2, configured with the SaslZkACLProvider or VMParams When starting Apache Solr versions prior to 8.8.2, configured with the SaslZkACLProvider or VMParamsAllAndReadonlyDigestZkACLProvider and no existing security.json znode, if the optional read-only user is configured then Solr would not treat that node as a sensitive path and would allow it to be readable. Additionally, with any ZkACLProvider, if the s

CVE-2021-28163 [LOW] CWE-200 CVE-2021-28163: In Eclipse Jetty 9.4.32 to 9.4.38, 10.0.0.beta2 to 10.0.1, and 11.0.0.beta2 to 11.0.1, if a user use In Eclipse Jetty 9.4.32 to 9.4.38, 10.0.0.beta2 to 10.0.1, and 11.0.0.beta2 to 11.0.1, if a user uses a webapps directory that is a symlink, the contents of the webapps directory is deployed as a static webapp, inadvertently serving the webapps themselves and anything else that might be in that directory.

CVE-2020-27223 [MEDIUM] CWE-407 CVE-2020-27223: In Eclipse Jetty 9.4.6.v20170531 to 9.4.36.v20210114 (inclusive), 10.0.0, and 11.0.0 when Jetty hand In Eclipse Jetty 9.4.6.v20170531 to 9.4.36.v20210114 (inclusive), 10.0.0, and 11.0.0 when Jetty handles a request containing multiple Accept headers with a large number of “quality” (i.e. q) parameters, the server may enter a denial of service (DoS) state due to high CPU usage processing those quality values, resulting in minutes of CPU time exhaust

CVE-2020-9492 [HIGH] CWE-863 CVE-2020-9492: In Apache Hadoop 3.2.0 to 3.2.1, 3.0.0-alpha1 to 3.1.3, and 2.0.0-alpha to 2.10.0, WebHDFS client mi In Apache Hadoop 3.2.0 to 3.2.1, 3.0.0-alpha1 to 3.1.3, and 2.0.0-alpha to 2.10.0, WebHDFS client might send SPNEGO authorization header to remote URL without proper verification.