CVE-2024-45217

Name of the Vulnerable Software and Affected Versions Apache Solr versions 6.6.0 through 8.11.3 Apache Solr versions 9.0.0 through 9.6.x

Description The issue arises from the insecure default initialization of resources in Apache Solr, where new ConfigSets created via a Restore command lack the "trusted" metadata, leading to implicit trust. This allows "trusted" ConfigSets to load custom code into classloaders without being created with an authenticated request. The "trusted" flag is supposed to be set only when the request that uploads the ConfigSet is authenticated and authorized.

Recommendations For Apache Solr versions 6.6.0 through 8.11.3, upgrade to version 8.11.4 to mitigate the issue. For Apache Solr versions 9.0.0 through 9.6.x, upgrade to version 9.7.0 to mitigate the issue. As a general recommendation, users are advised to use Authentication and Authorization when running Solr to prevent such issues.