Damon Toey

**Name of the Vulnerable Software and Affected Versions** Apache Solr versions 8.6 through 9.10.0 **Description** The 'create core' API in Apache Solr does not properly validate input for certain API parameters. This can lead Solr to check for and attempt to read file system paths that should be restricted by the 'allowPaths' security setting. Successful exploitation could allow users to create cores using unexpected configsets if accessible via the file system. On Windows systems allowing UNC paths, this could also result in the disclosure of NTLM "user" hashes. The issue requires Solr to be running in standalone mode, utilizing the 'allowPath' setting for file access restriction, and having the 'create core' API exposed to untrusted users, potentially due to a disabled or misconfigured RuleBasedAuthorizationPlugin. **Recommendations** Upgrade to Apache Solr version 9.10.1 or greater. Enable Solr’s RuleBasedAuthorizationPlugin if it is disabled. Configure a permission list that prevents untrusted users from creating new Solr cores.