{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-24814", "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "state": "PUBLISHED", "assignerShortName": "apache", "dateReserved": "2025-01-24T12:48:40.114Z", "datePublished": "2025-01-27T08:58:08.768Z", "dateUpdated": "2025-02-15T00:10:36.558Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Apache Solr", "vendor": "Apache Software Foundation", "versions": [{"lessThanOrEqual": "9.7", "status": "affected", "version": "0", "versionType": "semver"}]}], "credits": [{"lang": "en", "type": "finder", "value": "pwn null"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>Core creation allows users to replace \"trusted\" configset files with arbitrary configuration</p>Solr instances that (1) use the \"FileSystemConfigSetService\" component (the default in \"standalone\" or \"user-managed\" mode), and (2) are running without authentication and authorization are vulnerable to a sort of privilege escalation wherein individual \"trusted\" configset files can be ignored in favor of potentially-untrusted replacements available elsewhere on the filesystem.&nbsp; These replacement config files are treated as \"trusted\" and can use \"&lt;lib&gt;\" tags to add to Solr's classpath, which an attacker might use to load malicious code as a searchComponent or other plugin.<br><br>This issue affects all Apache Solr versions up through Solr 9.7.&nbsp; Users can protect against the vulnerability by enabling authentication and authorization on their Solr clusters or switching to SolrCloud (and away from \"FileSystemConfigSetService\").&nbsp; Users are also recommended to upgrade to Solr 9.8.0, which mitigates this issue by disabling use of \"&lt;lib&gt;\" tags by default.<br>"}], "value": "Core creation allows users to replace \"trusted\" configset files with arbitrary configuration\n\nSolr instances that (1) use the \"FileSystemConfigSetService\" component (the default in \"standalone\" or \"user-managed\" mode), and (2) are running without authentication and authorization are vulnerable to a sort of privilege escalation wherein individual \"trusted\" configset files can be ignored in favor of potentially-untrusted replacements available elsewhere on the filesystem.\u00a0 These replacement config files are treated as \"trusted\" and can use \"<lib>\" tags to add to Solr's classpath, which an attacker might use to load malicious code as a searchComponent or other plugin.\n\nThis issue affects all Apache Solr versions up through Solr 9.7.\u00a0 Users can protect against the vulnerability by enabling authentication and authorization on their Solr clusters or switching to SolrCloud (and away from \"FileSystemConfigSetService\").\u00a0 Users are also recommended to upgrade to Solr 9.8.0, which mitigates this issue by disabling use of \"<lib>\" tags by default."}], "metrics": [{"other": {"content": {"text": "moderate"}, "type": "Textual description of severity"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-250", "description": "CWE-250 Execution with Unnecessary Privileges", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache", "dateUpdated": "2025-01-27T08:58:08.768Z"}, "references": [{"tags": ["vendor-advisory"], "url": "https://lists.apache.org/thread/gl291pn8x9f9n52ys5l0pc0b6qtf0qw1"}], "source": {"discovery": "EXTERNAL"}, "title": "Apache Solr: Core-creation with \"trusted\" configset can use arbitrary untrusted files", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"title": "CVE Program Container", "references": [{"url": "http://www.openwall.com/lists/oss-security/2025/01/26/1"}, {"url": "https://security.netapp.com/advisory/ntap-20250214-0002/"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2025-02-15T00:10:36.558Z"}}, {"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2025-01-27T14:10:58.492586Z", "id": "CVE-2025-24814", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-02-06T16:02:37.895Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "http://www.openwall.com/lists/oss-security/2025/01/26/1"}, {"url": "https://security.netapp.com/advisory/ntap-20250214-0002/"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2025-02-15T00:10:36.558Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2025-24814", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-01-27T14:10:58.492586Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-01-27T14:10:47.663Z"}}], "cna": {"title": "Apache Solr: Core-creation with \"trusted\" configset can use arbitrary untrusted files", "source": {"discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "value": "pwn null"}], "metrics": [{"other": {"type": "Textual description of severity", "content": {"text": "moderate"}}}], "affected": [{"vendor": "Apache Software Foundation", "product": "Apache Solr", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "9.7"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://lists.apache.org/thread/gl291pn8x9f9n52ys5l0pc0b6qtf0qw1", "tags": ["vendor-advisory"]}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "Core creation allows users to replace \"trusted\" configset files with arbitrary configuration\n\nSolr instances that (1) use the \"FileSystemConfigSetService\" component (the default in \"standalone\" or \"user-managed\" mode), and (2) are running without authentication and authorization are vulnerable to a sort of privilege escalation wherein individual \"trusted\" configset files can be ignored in favor of potentially-untrusted replacements available elsewhere on the filesystem.\u00a0 These replacement config files are treated as \"trusted\" and can use \"<lib>\" tags to add to Solr's classpath, which an attacker might use to load malicious code as a searchComponent or other plugin.\n\nThis issue affects all Apache Solr versions up through Solr 9.7.\u00a0 Users can protect against the vulnerability by enabling authentication and authorization on their Solr clusters or switching to SolrCloud (and away from \"FileSystemConfigSetService\").\u00a0 Users are also recommended to upgrade to Solr 9.8.0, which mitigates this issue by disabling use of \"<lib>\" tags by default.", "supportingMedia": [{"type": "text/html", "value": "<p>Core creation allows users to replace \"trusted\" configset files with arbitrary configuration</p>Solr instances that (1) use the \"FileSystemConfigSetService\" component (the default in \"standalone\" or \"user-managed\" mode), and (2) are running without authentication and authorization are vulnerable to a sort of privilege escalation wherein individual \"trusted\" configset files can be ignored in favor of potentially-untrusted replacements available elsewhere on the filesystem.&nbsp; These replacement config files are treated as \"trusted\" and can use \"&lt;lib&gt;\" tags to add to Solr's classpath, which an attacker might use to load malicious code as a searchComponent or other plugin.<br><br>This issue affects all Apache Solr versions up through Solr 9.7.&nbsp; Users can protect against the vulnerability by enabling authentication and authorization on their Solr clusters or switching to SolrCloud (and away from \"FileSystemConfigSetService\").&nbsp; Users are also recommended to upgrade to Solr 9.8.0, which mitigates this issue by disabling use of \"&lt;lib&gt;\" tags by default.<br>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-250", "description": "CWE-250 Execution with Unnecessary Privileges"}]}], "providerMetadata": {"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache", "dateUpdated": "2025-01-27T08:58:08.768Z"}}}, "cveMetadata": {"cveId": "CVE-2025-24814", "state": "PUBLISHED", "dateUpdated": "2025-02-15T00:10:36.558Z", "dateReserved": "2025-01-24T12:48:40.114Z", "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "datePublished": "2025-01-27T08:58:08.768Z", "assignerShortName": "apache"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:apache:solr:*:*:*:*:*:*:*:*", "matchCriteriaId": "D59403D1-1B17-4DF8-9100-F3A87BCA78B1", "versionEndExcluding": "9.8.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Core creation allows users to replace \"trusted\" configset files with arbitrary configuration\n\nSolr instances that (1) use the \"FileSystemConfigSetService\" component (the default in \"standalone\" or \"user-managed\" mode), and (2) are running without authentication and authorization are vulnerable to a sort of privilege escalation wherein individual \"trusted\" configset files can be ignored in favor of potentially-untrusted replacements available elsewhere on the filesystem.\u00a0 These replacement config files are treated as \"trusted\" and can use \"<lib>\" tags to add to Solr's classpath, which an attacker might use to load malicious code as a searchComponent or other plugin.\n\nThis issue affects all Apache Solr versions up through Solr 9.7.\u00a0 Users can protect against the vulnerability by enabling authentication and authorization on their Solr clusters or switching to SolrCloud (and away from \"FileSystemConfigSetService\").\u00a0 Users are also recommended to upgrade to Solr 9.8.0, which mitigates this issue by disabling use of \"<lib>\" tags by default."}, {"lang": "es", "value": "Core creation permite a los usuarios reemplazar archivos de configuraci\u00f3n \"confiables\" con instancias Solr de configuraci\u00f3n arbitraria que (1) usan el componente \"FileSystemConfigSetService\" (el valor predeterminado en modo \"aut\u00f3nomo\" o \"administrado por el usuario\") y (2) se ejecutan sin autenticaci\u00f3n ni autorizaci\u00f3n y son vulnerables a una especie de escalada de privilegios en la que los archivos de configuraci\u00f3n \"confiables\" individuales pueden ignorarse a favor de reemplazos potencialmente no confiables disponibles en otras partes del sistema de archivos. Estos archivos de configuraci\u00f3n de reemplazo se tratan como \"confiables\" y pueden usar etiquetas \"\" para agregarlos a la ruta de clase de Solr, que un atacante podr\u00eda usar para cargar c\u00f3digo malicioso como un searchComponent u otro complemento. Este problema afecta a todas las versiones de Apache Solr hasta Solr 9.7. Los usuarios pueden protegerse contra la vulnerabilidad habilitando la autenticaci\u00f3n y la autorizaci\u00f3n en sus cl\u00fasteres Solr o cambiando a SolrCloud (y dejando de lado \"FileSystemConfigSetService\"). Tambi\u00e9n se recomienda a los usuarios actualizar a Solr 9.8.0, que mitiga este problema al deshabilitar el uso de etiquetas \"\" de forma predeterminada."}], "id": "CVE-2025-24814", "lastModified": "2025-06-25T16:41:43.923", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.1, "impactScore": 3.4, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.5, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2025-01-27T09:15:14.947", "references": [{"source": "security@apache.org", "tags": ["Mailing List", "Vendor Advisory"], "url": "https://lists.apache.org/thread/gl291pn8x9f9n52ys5l0pc0b6qtf0qw1"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2025/01/26/1"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://security.netapp.com/advisory/ntap-20250214-0002/"}], "sourceIdentifier": "security@apache.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-250"}], "source": "security@apache.org", "type": "Secondary"}, {"description": [{"lang": "en", "value": "NVD-CWE-Other"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "solr: org.apache.solr: Apache Solr: Core-creation with \"trusted\" configset can use arbitrary untrusted files", "id": "2342221", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2342221"}, "csaw": false, "cvss3": {"cvss3_base_score": "4.6", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:L", "status": "draft"}, "cwe": "CWE-250", "details": ["Core creation allows users to replace \"trusted\" configset files with arbitrary configuration\nSolr instances that (1) use the \"FileSystemConfigSetService\" component (the default in \"standalone\" or \"user-managed\" mode), and (2) are running without authentication and authorization are vulnerable to a sort of privilege escalation wherein individual \"trusted\" configset files can be ignored in favor of potentially-untrusted replacements available elsewhere on the filesystem.\u00a0 These replacement config files are treated as \"trusted\" and can use \"<lib>\" tags to add to Solr's classpath, which an attacker might use to load malicious code as a searchComponent or other plugin.\nThis issue affects all Apache Solr versions up through Solr 9.7.\u00a0 Users can protect against the vulnerability by enabling authentication and authorization on their Solr clusters or switching to SolrCloud (and away from \"FileSystemConfigSetService\").\u00a0 Users are also recommended to upgrade to Solr 9.8.0, which mitigates this issue by disabling use of \"<lib>\" tags by default.", "A flaw was found in Apache Solr. Solr instances that use the \"FileSystemConfigSetService\" component, the default in \"standalone\" or \"user-managed\" mode, and are running without authentication and authorization are vulnerable to a privilege escalation wherein individual \"trusted\" config set files can be ignored in favor of potentially-untrusted replacements available elsewhere on the filesystem.\u00a0 These replacement config files are treated as \"trusted\" and can use \"<lib>\" tags to add to Solr's classpath. This flaw allows an attacker to load malicious code as a searchComponent or other plugin."], "mitigation": {"lang": "en:us", "value": "Users can protect against the vulnerability by enabling authentication and authorization on their Solr clusters or switching to SolrCloud (and away from \"FileSystemConfigSetService\")."}, "name": "CVE-2025-24814", "package_state": [{"cpe": "cpe:/a:redhat:jboss_fuse:7", "fix_state": "Out of support scope", "package_name": "org.apache.solr/solr-core", "product_name": "Red Hat Fuse 7"}, {"cpe": "cpe:/a:redhat:integration:1", "fix_state": "Fix deferred", "package_name": "org.apache.solr/solr-core", "product_name": "Red Hat Integration Camel K 1"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8", "fix_state": "Fix deferred", "package_name": "org.apache.solr/solr-core", "product_name": "Red Hat JBoss Enterprise Application Platform 8"}, {"cpe": "cpe:/a:redhat:jbosseapxp", "fix_state": "Fix deferred", "package_name": "org.apache.solr/solr-core", "product_name": "Red Hat JBoss Enterprise Application Platform Expansion Pack"}], "public_date": "2025-01-27T08:58:08Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2025-24814\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-24814\nhttp://www.openwall.com/lists/oss-security/2025/01/26/1\nhttps://lists.apache.org/thread/gl291pn8x9f9n52ys5l0pc0b6qtf0qw1"], "threat_severity": "Low"}