Flip Hess

**Name of the Vulnerable Software and Affected Versions** Apache Solr Operator versions 0.3.0 through 0.8.0 **Description** The issue affects the Apache Solr Operator when bootstrapping Solr security, enabling basic authentication, and creating accounts for accessing Solr. The operator uses a "k8s-oper" account for its requests to Solr, including healthchecks such as liveness, readiness, and startup probes. If authentication is required on probe endpoints and a probe fails, the Solr Operator creates a Kubernetes "event" containing the username and password of the "k8s-oper" account. This vulnerability affects solrcloud resources that bootstrapped security using the `.solrOptions.security.authenticationType=basic` option and required authentication on probes by setting `.solrOptions.security.probesRequireAuth=true`. **Recommendations** For versions 0.3.0 through 0.8.0, upgrade to Solr Operator version 0.8.1 to fix the issue. As a temporary workaround, consider setting `.solrOptions.security.probesRequireAuth=false` to disable authentication on healthcheck probes.