CVE-2024-31391

Name of the Vulnerable Software and Affected Versions Apache Solr Operator versions 0.3.0 through 0.8.0

Description The issue affects the Apache Solr Operator when bootstrapping Solr security, enabling basic authentication, and creating accounts for accessing Solr. The operator uses a "k8s-oper" account for its requests to Solr, including healthchecks such as liveness, readiness, and startup probes. If authentication is required on probe endpoints and a probe fails, the Solr Operator creates a Kubernetes "event" containing the username and password of the "k8s-oper" account. This vulnerability affects solrcloud resources that bootstrapped security using the .solrOptions.security.authenticationType=basic option and required authentication on probes by setting .solrOptions.security.probesRequireAuth=true.

Recommendations For versions 0.3.0 through 0.8.0, upgrade to Solr Operator version 0.8.1 to fix the issue. As a temporary workaround, consider setting .solrOptions.security.probesRequireAuth=false to disable authentication on healthcheck probes.