cve-2023-50291
Vulnerability from cvelistv5
Published
2024-02-09 17:29
Modified
2025-02-13 17:19
Severity ?
Summary
Insufficiently Protected Credentials vulnerability in Apache Solr. This issue affects Apache Solr: from 6.0.0 through 8.11.2, from 9.0.0 before 9.3.0. One of the two endpoints that publishes the Solr process' Java system properties, /admin/info/properties, was only setup to hide system properties that had "password" contained in the name. There are a number of sensitive system properties, such as "basicauth" and "aws.secretKey" do not contain "password", thus their values were published via the "/admin/info/properties" endpoint. This endpoint populates the list of System Properties on the home screen of the Solr Admin page, making the exposed credentials visible in the UI. This /admin/info/properties endpoint is protected under the "config-read" permission. Therefore, Solr Clouds with Authorization enabled will only be vulnerable through logged-in users that have the "config-read" permission. Users are recommended to upgrade to version 9.3.0 or 8.11.3, which fixes the issue. A single option now controls hiding Java system property for all endpoints, "-Dsolr.hiddenSysProps". By default all known sensitive properties are hidden (including "-Dbasicauth"), as well as any property with a name containing "secret" or "password". Users who cannot upgrade can also use the following Java system property to fix the issue:   '-Dsolr.redaction.system.pattern=.*(password|secret|basicauth).*'
References
security@apache.orghttp://www.openwall.com/lists/oss-security/2024/02/09/4Mailing List
security@apache.orghttps://solr.apache.org/security.html#cve-2023-50291-apache-solr-can-leak-certain-passwords-due-to-system-property-redaction-logic-inconsistenciesVendor Advisory
af854a3a-2127-422b-91ae-364da2661108http://www.openwall.com/lists/oss-security/2024/02/09/4Mailing List
af854a3a-2127-422b-91ae-364da2661108https://solr.apache.org/security.html#cve-2023-50291-apache-solr-can-leak-certain-passwords-due-to-system-property-redaction-logic-inconsistenciesVendor Advisory
Impacted products
Vendor Product Version
Apache Software Foundation Apache Solr Version: 6.0.0    8.11.2
Version: 9.0.0   
Create a notification for this product.
Show details on NVD website

To clipboard 

{
   containers: {
      adp: [
         {
            providerMetadata: {
               dateUpdated: "2024-08-02T22:16:46.115Z",
               orgId: "af854a3a-2127-422b-91ae-364da2661108",
               shortName: "CVE",
            },
            references: [
               {
                  tags: [
                     "vendor-advisory",
                     "x_transferred",
                  ],
                  url: "https://solr.apache.org/security.html#cve-2023-50291-apache-solr-can-leak-certain-passwords-due-to-system-property-redaction-logic-inconsistencies",
               },
               {
                  tags: [
                     "x_transferred",
                  ],
                  url: "http://www.openwall.com/lists/oss-security/2024/02/09/4",
               },
            ],
            title: "CVE Program Container",
         },
      ],
      cna: {
         affected: [
            {
               defaultStatus: "unaffected",
               product: "Apache Solr",
               vendor: "Apache Software Foundation",
               versions: [
                  {
                     lessThanOrEqual: "8.11.2",
                     status: "affected",
                     version: "6.0.0",
                     versionType: "semver",
                  },
                  {
                     lessThan: "9.3.0",
                     status: "affected",
                     version: "9.0.0",
                     versionType: "semver",
                  },
               ],
            },
         ],
         credits: [
            {
               lang: "en",
               type: "reporter",
               value: "Michael Taggart",
            },
         ],
         descriptions: [
            {
               lang: "en",
               supportingMedia: [
                  {
                     base64: false,
                     type: "text/html",
                     value: "Insufficiently Protected Credentials vulnerability in Apache Solr.<p></p><p>This issue affects Apache Solr: from 6.0.0 through 8.11.2, from 9.0.0 before 9.3.0.<span style=\"background-color: rgb(255, 255, 255);\"><br></span>One of the two endpoints that publishes the Solr process' Java system properties, /admin/info/properties, was only setup to hide system properties that had \"password\" contained in the name.<br>There are a number of sensitive system properties, such as \"basicauth\" and \"aws.secretKey\" do not contain \"password\", thus their values were published via the \"/admin/info/properties\" endpoint.<br><span style=\"background-color: rgb(255, 255, 255);\">This endpoint populates the list of System Properties on the home screen of the Solr Admin page, making the exposed credentials visible in the UI.</span><br></p>This /admin/info/properties endpoint is protected under the \"config-read\" permission.<br>Therefore, Solr Clouds with Authorization enabled will only be vulnerable through logged-in users that have the \"config-read\" permission.<br><p>Users are recommended to upgrade to version 9.3.0 or 8.11.3, which fixes the issue.<br>A single option now controls hiding Java system property for all endpoints, \"-Dsolr.hiddenSysProps\".<br>By default all known sensitive properties are hidden (including \"-Dbasicauth\"), as well as any property with a name containing \"secret\" or \"password\".</p><p>Users who cannot upgrade can also use the following Java system property to fix the issue:<br>&nbsp; '-D<span style=\"background-color: rgb(255, 255, 255);\">solr.redaction.system.pattern</span>=.*(password|secret|basicauth).*'</p><p></p>",
                  },
               ],
               value: "Insufficiently Protected Credentials vulnerability in Apache Solr.\n\nThis issue affects Apache Solr: from 6.0.0 through 8.11.2, from 9.0.0 before 9.3.0.\nOne of the two endpoints that publishes the Solr process' Java system properties, /admin/info/properties, was only setup to hide system properties that had \"password\" contained in the name.\nThere are a number of sensitive system properties, such as \"basicauth\" and \"aws.secretKey\" do not contain \"password\", thus their values were published via the \"/admin/info/properties\" endpoint.\nThis endpoint populates the list of System Properties on the home screen of the Solr Admin page, making the exposed credentials visible in the UI.\n\nThis /admin/info/properties endpoint is protected under the \"config-read\" permission.\nTherefore, Solr Clouds with Authorization enabled will only be vulnerable through logged-in users that have the \"config-read\" permission.\nUsers are recommended to upgrade to version 9.3.0 or 8.11.3, which fixes the issue.\nA single option now controls hiding Java system property for all endpoints, \"-Dsolr.hiddenSysProps\".\nBy default all known sensitive properties are hidden (including \"-Dbasicauth\"), as well as any property with a name containing \"secret\" or \"password\".\n\nUsers who cannot upgrade can also use the following Java system property to fix the issue:\n  '-Dsolr.redaction.system.pattern=.*(password|secret|basicauth).*'",
            },
         ],
         metrics: [
            {
               other: {
                  content: {
                     text: "moderate",
                  },
                  type: "Textual description of severity",
               },
            },
         ],
         problemTypes: [
            {
               descriptions: [
                  {
                     cweId: "CWE-522",
                     description: "CWE-522 Insufficiently Protected Credentials",
                     lang: "en",
                     type: "CWE",
                  },
               ],
            },
         ],
         providerMetadata: {
            dateUpdated: "2024-02-09T17:30:06.569Z",
            orgId: "f0158376-9dc2-43b6-827c-5f631a4d8d09",
            shortName: "apache",
         },
         references: [
            {
               tags: [
                  "vendor-advisory",
               ],
               url: "https://solr.apache.org/security.html#cve-2023-50291-apache-solr-can-leak-certain-passwords-due-to-system-property-redaction-logic-inconsistencies",
            },
            {
               url: "http://www.openwall.com/lists/oss-security/2024/02/09/4",
            },
         ],
         source: {
            defect: [
               "SOLR-16809",
            ],
            discovery: "EXTERNAL",
         },
         title: "Apache Solr: System Property redaction logic inconsistency can lead to leaked passwords",
         x_generator: {
            engine: "Vulnogram 0.1.0-dev",
         },
      },
   },
   cveMetadata: {
      assignerOrgId: "f0158376-9dc2-43b6-827c-5f631a4d8d09",
      assignerShortName: "apache",
      cveId: "CVE-2023-50291",
      datePublished: "2024-02-09T17:29:32.882Z",
      dateReserved: "2023-12-06T17:56:16.223Z",
      dateUpdated: "2025-02-13T17:19:03.580Z",
      state: "PUBLISHED",
   },
   dataType: "CVE_RECORD",
   dataVersion: "5.1",
   "vulnerability-lookup:meta": {
      nvd: "{\"cve\":{\"id\":\"CVE-2023-50291\",\"sourceIdentifier\":\"security@apache.org\",\"published\":\"2024-02-09T18:15:08.240\",\"lastModified\":\"2025-02-13T18:15:49.720\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Insufficiently Protected Credentials vulnerability in Apache Solr.\\n\\nThis issue affects Apache Solr: from 6.0.0 through 8.11.2, from 9.0.0 before 9.3.0.\\nOne of the two endpoints that publishes the Solr process' Java system properties, /admin/info/properties, was only setup to hide system properties that had \\\"password\\\" contained in the name.\\nThere are a number of sensitive system properties, such as \\\"basicauth\\\" and \\\"aws.secretKey\\\" do not contain \\\"password\\\", thus their values were published via the \\\"/admin/info/properties\\\" endpoint.\\nThis endpoint populates the list of System Properties on the home screen of the Solr Admin page, making the exposed credentials visible in the UI.\\n\\nThis /admin/info/properties endpoint is protected under the \\\"config-read\\\" permission.\\nTherefore, Solr Clouds with Authorization enabled will only be vulnerable through logged-in users that have the \\\"config-read\\\" permission.\\nUsers are recommended to upgrade to version 9.3.0 or 8.11.3, which fixes the issue.\\nA single option now controls hiding Java system property for all endpoints, \\\"-Dsolr.hiddenSysProps\\\".\\nBy default all known sensitive properties are hidden (including \\\"-Dbasicauth\\\"), as well as any property with a name containing \\\"secret\\\" or \\\"password\\\".\\n\\nUsers who cannot upgrade can also use the following Java system property to fix the issue:\\n  '-Dsolr.redaction.system.pattern=.*(password|secret|basicauth).*'\"},{\"lang\":\"es\",\"value\":\"Vulnerabilidad de credenciales insuficientemente protegidas en Apache Solr. Este problema afecta a Apache Solr: desde 6.0.0 hasta 8.11.2, desde 9.0.0 antes de 9.3.0. Uno de los dos endpoints que publica las propiedades del sistema Java del proceso Solr, /admin/info/properties, solo se configuró para ocultar las propiedades del sistema que tenían \\\"password\\\" en el nombre. Hay una serie de propiedades confidenciales del sistema, como \\\"basicauth\\\" y \\\"aws.secretKey\\\" que no contienen \\\"password\\\", por lo que sus valores se publicaron a través del endpoint \\\"/admin/info/properties\\\". Este endpoint completa la lista de System Properties en la pantalla de inicio de la página de administración de Solr, lo que hace que las credenciales expuestas sean visibles en la interfaz de usuario. Este endpoint /admin/info/properties está protegido bajo el permiso \\\"config-read\\\". Por lo tanto, las nubes Solr con autorización habilitada solo serán vulnerables a través de usuarios registrados que tengan el permiso \\\"config-read\\\". Se recomienda a los usuarios actualizar a la versión 9.3.0 u 8.11.3, que soluciona el problema. Una única opción ahora controla la ocultación de la propiedad del sistema Java para todos los endpoints, \\\"-Dsolr.hiddenSysProps\\\". De forma predeterminada, todas las propiedades confidenciales conocidas están ocultas (incluido \\\"-Dbasicauth\\\"), así como cualquier propiedad cuyo nombre contenga \\\"secret\\\" o \\\"password\\\". Los usuarios que no pueden actualizar también pueden utilizar la siguiente propiedad del sistema Java para solucionar el problema: '-Dsolr.redaction.system.pattern=.*(password|secret|basicauth).*'\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.9,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"security@apache.org\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-522\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:solr:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.0.0\",\"versionEndExcluding\":\"8.11.3\",\"matchCriteriaId\":\"21D17629-7025-4DB8-936C-2C074AC00515\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:solr:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"9.0.0\",\"versionEndExcluding\":\"9.3.0\",\"matchCriteriaId\":\"E1EF37F2-A898-4CF3-A122-1EEA13E6DDA4\"}]}]}],\"references\":[{\"url\":\"http://www.openwall.com/lists/oss-security/2024/02/09/4\",\"source\":\"security@apache.org\",\"tags\":[\"Mailing List\"]},{\"url\":\"https://solr.apache.org/security.html#cve-2023-50291-apache-solr-can-leak-certain-passwords-due-to-system-property-redaction-logic-inconsistencies\",\"source\":\"security@apache.org\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"http://www.openwall.com/lists/oss-security/2024/02/09/4\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Mailing List\"]},{\"url\":\"https://solr.apache.org/security.html#cve-2023-50291-apache-solr-can-leak-certain-passwords-due-to-system-property-redaction-logic-inconsistencies\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]}]}}",
   },
}


Log in or create an account to share your comment.

Security Advisory comment format.

This schema specifies the format of a comment related to a security advisory.

UUIDv4 of the comment
UUIDv4 of the Vulnerability-Lookup instance
When the comment was created originally
When the comment was last updated
Title of the comment
Description of the comment
The identifier of the vulnerability (CVE ID, GHSA-ID, PYSEC ID, etc.).



Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.