logo

Database

Lack of data validation - Path Traversal In org.apache.solr:solr-core

Description

Apache Solr Relative Path Traversal vulnerability Relative Path Traversal vulnerability in Apache Solr.

Solr instances running on Windows are vulnerable to arbitrary filepath write-access, due to a lack of input-sanitation in the "configset upload" API.  Commonly known as a "zipslip", maliciously constructed ZIP files can use relative filepaths to write data to unanticipated parts of the filesystem.   This issue affects Apache Solr: from 6.6 through 9.7.0.

Users are recommended to upgrade to version 9.8.0, which fixes the issue.  Users unable to upgrade may also safely prevent the issue by using Solr's "Rule-Based Authentication Plugin" to restrict access to the configset upload API, so that it can only be accessed by a trusted set of administrators/users.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2024-520122. NVD-2024-520123. OSV-2024-520124. GCVE-2024-52012

References

1. https://github.com/apache/solr/commit/5795edd143b8fcb2ffaf7f278a099b8678adf3962. https://issues.apache.org/jira/browse/SOLR-175433. https://lists.apache.org/thread/yp39pgbv4vf1746pf5yblz84lv30vfxd4. http://www.openwall.com/lists/oss-security/2025/01/26/2

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.