CVE-2024-52012

Name of the Vulnerable Software and Affected Versions Apache Solr versions 6.6 through 9.7.0

Description Apache Solr instances running on Windows are susceptible to arbitrary file path write access due to insufficient input validation in the 'configset upload' API. This is commonly known as a 'zipslip', where maliciously crafted ZIP files can utilize relative file paths to write data to unintended locations within the file system. The API endpoint involved is /configset upload. The vulnerability allows for arbitrary file writes through the manipulation of ZIP file contents.

Recommendations Upgrade to version 9.8.0 to resolve the issue. For users unable to upgrade, restrict access to the /configset upload API using Solr's "Rule-Based Authentication Plugin" to a trusted set of administrators and users.