Service Notices

All Notices > Security Notices > Apache Solr Authentication Bypass Vulnerability (CVE-2024-45216)

Apache Solr Authentication Bypass Vulnerability (CVE-2024-45216)

Nov 01, 2024 GMT+08:00

I. Overview

Apache Solr has released a security notice regarding a vulnerability (CVE-2024-45216) in the PKIAuthenticationPlugin, which is enabled by default. This vulnerability allows attackers to bypass authentication by appending a fake path to the end of a Solr API URL, potentially exposing sensitive data or enabling malicious operations. The POC has been disclosed and the risk is high.

Apache Solr is a scalable, deployable, storage-optimized, and text-centric full-text search platform. If you are an Apache Solr user, check your versions and implement timely security hardening.

Reference:

https://github.com/apache/solr/commit/bd61680bfd351f608867739db75c3d70c1900e38

https://solr.apache.org/security.html#cve-2024-45216-apache-solr-authentication-bypass-possible-using-a-fake-url-path-ending

II. Severity

Severity: important

(Severity: low, moderate, important, and critical)

III. Affected Products

Affected versions:

5.3.0 <= Apache solr < 8.11.4

9.0.0 <= Apache solr < 9.7.0

Secure versions:

Apache Solr 8.11.4

Apache Solr 9.7.0

IV. Vulnerability Handling

This vulnerability has been fixed in later official versions. If your service version falls into the affected range, upgrade it to a latest secure version.

https://solr.apache.org/downloads.html

Note: Before fixing vulnerabilities, back up your files and conduct a thorough test.