{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-50291", "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "state": "PUBLISHED", "assignerShortName": "apache", "dateReserved": "2023-12-06T17:56:16.223Z", "datePublished": "2024-02-09T17:29:32.882Z", "dateUpdated": "2025-02-13T17:19:03.580Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Apache Solr", "vendor": "Apache Software Foundation", "versions": [{"lessThanOrEqual": "8.11.2", "status": "affected", "version": "6.0.0", "versionType": "semver"}, {"lessThan": "9.3.0", "status": "affected", "version": "9.0.0", "versionType": "semver"}]}], "credits": [{"lang": "en", "type": "reporter", "value": "Michael Taggart"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Insufficiently Protected Credentials vulnerability in Apache Solr.<p></p><p>This issue affects Apache Solr: from 6.0.0 through 8.11.2, from 9.0.0 before 9.3.0.<span style=\"background-color: rgb(255, 255, 255);\"><br></span>One of the two endpoints that publishes the Solr process' Java system properties, /admin/info/properties, was only setup to hide system properties that had \"password\" contained in the name.<br>There are a number of sensitive system properties, such as \"basicauth\" and \"aws.secretKey\" do not contain \"password\", thus their values were published via the \"/admin/info/properties\" endpoint.<br><span style=\"background-color: rgb(255, 255, 255);\">This endpoint populates the list of System Properties on the home screen of the Solr Admin page, making the exposed credentials visible in the UI.</span><br></p>This /admin/info/properties endpoint is protected under the \"config-read\" permission.<br>Therefore, Solr Clouds with Authorization enabled will only be vulnerable through logged-in users that have the \"config-read\" permission.<br><p>Users are recommended to upgrade to version 9.3.0 or 8.11.3, which fixes the issue.<br>A single option now controls hiding Java system property for all endpoints, \"-Dsolr.hiddenSysProps\".<br>By default all known sensitive properties are hidden (including \"-Dbasicauth\"), as well as any property with a name containing \"secret\" or \"password\".</p><p>Users who cannot upgrade can also use the following Java system property to fix the issue:<br>&nbsp; '-D<span style=\"background-color: rgb(255, 255, 255);\">solr.redaction.system.pattern</span>=.*(password|secret|basicauth).*'</p><p></p>"}], "value": "Insufficiently Protected Credentials vulnerability in Apache Solr.\n\nThis issue affects Apache Solr: from 6.0.0 through 8.11.2, from 9.0.0 before 9.3.0.\nOne of the two endpoints that publishes the Solr process' Java system properties, /admin/info/properties, was only setup to hide system properties that had \"password\" contained in the name.\nThere are a number of sensitive system properties, such as \"basicauth\" and \"aws.secretKey\" do not contain \"password\", thus their values were published via the \"/admin/info/properties\" endpoint.\nThis endpoint populates the list of System Properties on the home screen of the Solr Admin page, making the exposed credentials visible in the UI.\n\nThis /admin/info/properties endpoint is protected under the \"config-read\" permission.\nTherefore, Solr Clouds with Authorization enabled will only be vulnerable through logged-in users that have the \"config-read\" permission.\nUsers are recommended to upgrade to version 9.3.0 or 8.11.3, which fixes the issue.\nA single option now controls hiding Java system property for all endpoints, \"-Dsolr.hiddenSysProps\".\nBy default all known sensitive properties are hidden (including \"-Dbasicauth\"), as well as any property with a name containing \"secret\" or \"password\".\n\nUsers who cannot upgrade can also use the following Java system property to fix the issue:\n\u00a0 '-Dsolr.redaction.system.pattern=.*(password|secret|basicauth).*'"}], "metrics": [{"other": {"content": {"text": "moderate"}, "type": "Textual description of severity"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-522", "description": "CWE-522 Insufficiently Protected Credentials", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache", "dateUpdated": "2024-02-09T17:30:06.569Z"}, "references": [{"tags": ["vendor-advisory"], "url": "https://solr.apache.org/security.html#cve-2023-50291-apache-solr-can-leak-certain-passwords-due-to-system-property-redaction-logic-inconsistencies"}, {"url": "http://www.openwall.com/lists/oss-security/2024/02/09/4"}], "source": {"defect": ["SOLR-16809"], "discovery": "EXTERNAL"}, "title": "Apache Solr: System Property redaction logic inconsistency can lead to leaked passwords", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T22:16:46.115Z"}, "title": "CVE Program Container", "references": [{"tags": ["vendor-advisory", "x_transferred"], "url": "https://solr.apache.org/security.html#cve-2023-50291-apache-solr-can-leak-certain-passwords-due-to-system-property-redaction-logic-inconsistencies"}, {"url": "http://www.openwall.com/lists/oss-security/2024/02/09/4", "tags": ["x_transferred"]}]}]}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:apache:solr:*:*:*:*:*:*:*:*", "matchCriteriaId": "21D17629-7025-4DB8-936C-2C074AC00515", "versionEndExcluding": "8.11.3", "versionStartIncluding": "6.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:solr:*:*:*:*:*:*:*:*", "matchCriteriaId": "E1EF37F2-A898-4CF3-A122-1EEA13E6DDA4", "versionEndExcluding": "9.3.0", "versionStartIncluding": "9.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Insufficiently Protected Credentials vulnerability in Apache Solr.\n\nThis issue affects Apache Solr: from 6.0.0 through 8.11.2, from 9.0.0 before 9.3.0.\nOne of the two endpoints that publishes the Solr process' Java system properties, /admin/info/properties, was only setup to hide system properties that had \"password\" contained in the name.\nThere are a number of sensitive system properties, such as \"basicauth\" and \"aws.secretKey\" do not contain \"password\", thus their values were published via the \"/admin/info/properties\" endpoint.\nThis endpoint populates the list of System Properties on the home screen of the Solr Admin page, making the exposed credentials visible in the UI.\n\nThis /admin/info/properties endpoint is protected under the \"config-read\" permission.\nTherefore, Solr Clouds with Authorization enabled will only be vulnerable through logged-in users that have the \"config-read\" permission.\nUsers are recommended to upgrade to version 9.3.0 or 8.11.3, which fixes the issue.\nA single option now controls hiding Java system property for all endpoints, \"-Dsolr.hiddenSysProps\".\nBy default all known sensitive properties are hidden (including \"-Dbasicauth\"), as well as any property with a name containing \"secret\" or \"password\".\n\nUsers who cannot upgrade can also use the following Java system property to fix the issue:\n\u00a0 '-Dsolr.redaction.system.pattern=.*(password|secret|basicauth).*'"}, {"lang": "es", "value": "Vulnerabilidad de credenciales insuficientemente protegidas en Apache Solr. Este problema afecta a Apache Solr: desde 6.0.0 hasta 8.11.2, desde 9.0.0 antes de 9.3.0. Uno de los dos endpoints que publica las propiedades del sistema Java del proceso Solr, /admin/info/properties, solo se configur\u00f3 para ocultar las propiedades del sistema que ten\u00edan \"password\" en el nombre. Hay una serie de propiedades confidenciales del sistema, como \"basicauth\" y \"aws.secretKey\" que no contienen \"password\", por lo que sus valores se publicaron a trav\u00e9s del endpoint \"/admin/info/properties\". Este endpoint completa la lista de System Properties en la pantalla de inicio de la p\u00e1gina de administraci\u00f3n de Solr, lo que hace que las credenciales expuestas sean visibles en la interfaz de usuario. Este endpoint /admin/info/properties est\u00e1 protegido bajo el permiso \"config-read\". Por lo tanto, las nubes Solr con autorizaci\u00f3n habilitada solo ser\u00e1n vulnerables a trav\u00e9s de usuarios registrados que tengan el permiso \"config-read\". Se recomienda a los usuarios actualizar a la versi\u00f3n 9.3.0 u 8.11.3, que soluciona el problema. Una \u00fanica opci\u00f3n ahora controla la ocultaci\u00f3n de la propiedad del sistema Java para todos los endpoints, \"-Dsolr.hiddenSysProps\". De forma predeterminada, todas las propiedades confidenciales conocidas est\u00e1n ocultas (incluido \"-Dbasicauth\"), as\u00ed como cualquier propiedad cuyo nombre contenga \"secret\" o \"password\". Los usuarios que no pueden actualizar tambi\u00e9n pueden utilizar la siguiente propiedad del sistema Java para solucionar el problema: '-Dsolr.redaction.system.pattern=.*(password|secret|basicauth).*'"}], "id": "CVE-2023-50291", "lastModified": "2025-02-13T18:15:49.720", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2024-02-09T18:15:08.240", "references": [{"source": "security@apache.org", "tags": ["Mailing List"], "url": "http://www.openwall.com/lists/oss-security/2024/02/09/4"}, {"source": "security@apache.org", "tags": ["Vendor Advisory"], "url": "https://solr.apache.org/security.html#cve-2023-50291-apache-solr-can-leak-certain-passwords-due-to-system-property-redaction-logic-inconsistencies"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List"], "url": "http://www.openwall.com/lists/oss-security/2024/02/09/4"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://solr.apache.org/security.html#cve-2023-50291-apache-solr-can-leak-certain-passwords-due-to-system-property-redaction-logic-inconsistencies"}], "sourceIdentifier": "security@apache.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-522"}], "source": "security@apache.org", "type": "Secondary"}]}

{"bugzilla": {"description": "solr: system property redaction logic inconsistency can lead to leaked passwords", "id": "2263577", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2263577"}, "csaw": false, "cvss3": {"cvss3_base_score": "6.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "status": "draft"}, "cwe": "CWE-522", "details": ["Insufficiently Protected Credentials vulnerability in Apache Solr.\nThis issue affects Apache Solr: from 6.0.0 through 8.11.2, from 9.0.0 before 9.3.0.\nOne of the two endpoints that publishes the Solr process' Java system properties, /admin/info/properties, was only setup to hide system properties that had \"password\" contained in the name.\nThere are a number of sensitive system properties, such as \"basicauth\" and \"aws.secretKey\" do not contain \"password\", thus their values were published via the \"/admin/info/properties\" endpoint.\nThis endpoint populates the list of System Properties on the home screen of the Solr Admin page, making the exposed credentials visible in the UI.\nThis /admin/info/properties endpoint is protected under the \"config-read\" permission.\nTherefore, Solr Clouds with Authorization enabled will only be vulnerable through logged-in users that have the \"config-read\" permission.\nUsers are recommended to upgrade to version 9.3.0 or 8.11.3, which fixes the issue.\nA single option now controls hiding Java system property for all endpoints, \"-Dsolr.hiddenSysProps\".\nBy default all known sensitive properties are hidden (including \"-Dbasicauth\"), as well as any property with a name containing \"secret\" or \"password\".\nUsers who cannot upgrade can also use the following Java system property to fix the issue:\n\u00a0 '-Dsolr.redaction.system.pattern=.*(password|secret|basicauth).*'", "A flaw was found in Apache Solr. The /admin/info/properties endpoint, which publishes the Solr process' Java system properties, is only setup to hide system properties that have \"password\" contained in the name. There are a number of sensitive system properties, such as \"basicauth\" and \"aws.secretKey\", that do not contain \"password\"; therefore, their values can be published via the vulnerable endpoint. This endpoint populates the list of System Properties on the home screen of the Solr Admin page, making the exposed credentials visible in the UI."], "name": "CVE-2023-50291", "package_state": [{"cpe": "cpe:/a:redhat:jboss_data_grid:8", "fix_state": "Not affected", "package_name": "solr", "product_name": "Red Hat Data Grid 8"}, {"cpe": "cpe:/a:redhat:jboss_fuse:7", "fix_state": "Will not fix", "package_name": "solr", "product_name": "Red Hat Fuse 7"}, {"cpe": "cpe:/a:redhat:integration:1", "fix_state": "Not affected", "package_name": "camel-solr", "product_name": "Red Hat Integration Camel K"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:6", "fix_state": "Out of support scope", "package_name": "solr", "product_name": "Red Hat JBoss Enterprise Application Platform 6"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8", "fix_state": "Not affected", "package_name": "solr", "product_name": "Red Hat JBoss Enterprise Application Platform 8"}], "public_date": "2024-02-09T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2023-50291\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-50291"], "threat_severity": "Moderate", "upstream_fix": "solr 9.3.0, solr 8.11.3"}