Michael Taggart

**Name of the Vulnerable Software and Affected Versions** Apache Solr versions 6.0.0 through 8.11.2 Apache Solr versions 9.0.0 through 9.2.x **Description** The issue is related to insufficient protection of credentials in Apache Solr. One of the endpoints, "/admin/info/properties", was only set up to hide system properties containing the word "password" in their name. However, other sensitive system properties, such as "basicauth" and "aws.secretKey", do not contain "password" and thus their values were published via the "/admin/info/properties" endpoint. This endpoint is protected under the "config-read" permission, and Solr Clouds with Authorization enabled are only vulnerable through logged-in users with the "config-read" permission. **Recommendations** Upgrade to version 9.3.0 or 8.11.3, which fixes the issue. For users who cannot upgrade, use the Java system property '-Dsolr.redaction.system.pattern=.*(password|secret|basicauth).*' to fix the issue.

**Name of the Vulnerable Software and Affected Versions** Azure CycleCloud (affected versions not specified) **Description** The issue is related to insufficient access control in Azure CycleCloud, a tool for organizing and managing high-performance computing (HPC) environments. Exploitation of this issue may allow an attacker to elevate their privileges. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.