oss-sec mailing list archives

Severity: moderate

Affected versions:

- Apache Solr through 9.7

Description:

Core creation allows users to replace "trusted" configset files with arbitrary configuration

Solr instances that (1) use the "FileSystemConfigSetService" component (the default in "standalone" or "user-managed" 
mode), and (2) are running without authentication and authorization are vulnerable to a sort of privilege escalation 
wherein individual "trusted" configset files can be ignored in favor of potentially-untrusted replacements available 
elsewhere on the filesystem.  These replacement config files are treated as "trusted" and can use "<lib>" tags to add 
to Solr's classpath, which an attacker might use to load malicious code as a searchComponent or other plugin.

This issue affects all Apache Solr versions up through Solr 9.7.  Users can protect against the vulnerability by 
enabling authentication and authorization on their Solr clusters or switching to SolrCloud (and away from 
"FileSystemConfigSetService").  Users are also recommended to upgrade to Solr 9.8.0, which mitigates this issue by 
disabling use of "<lib>" tags by default.

Credit:

pwn null (finder)

References:

https://solr.apache.org
https://www.cve.org/CVERecord?id=CVE-2025-24814

Current thread:

• CVE-2025-24814: Apache Solr: Core-creation with "trusted" configset can use arbitrary untrusted files Jason Gerlowski (Jan 26)