- Description
- Core creation allows users to replace "trusted" configset files with arbitrary configuration Solr instances that (1) use the "FileSystemConfigSetService" component (the default in "standalone" or "user-managed" mode), and (2) are running without authentication and authorization are vulnerable to a sort of privilege escalation wherein individual "trusted" configset files can be ignored in favor of potentially-untrusted replacements available elsewhere on the filesystem. These replacement config files are treated as "trusted" and can use "<lib>" tags to add to Solr's classpath, which an attacker might use to load malicious code as a searchComponent or other plugin. This issue affects all Apache Solr versions up through Solr 9.7. Users can protect against the vulnerability by enabling authentication and authorization on their Solr clusters or switching to SolrCloud (and away from "FileSystemConfigSetService"). Users are also recommended to upgrade to Solr 9.8.0, which mitigates this issue by disabling use of "<lib>" tags by default.
- Source
- security@apache.org
- NVD status
- Awaiting Analysis
CVSS 3.1
- Type
- Secondary
- Base score
- 5.4
- Impact score
- 2.5
- Exploitability score
- 2.8
- Vector string
- CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
- Severity
- MEDIUM
- security@apache.org
- CWE-250
- Hype score
- Not currently trending
Threat Alert: Apache Solr Vulnerabilities CVE-2024-52012 and CVE-2025-24814 Expose Systems to CVE-2025-24814 CVE-2024-52012 Severity: 🔴 High Maturity: 💢 Emerging Learn more: https://t.co/lZbohqjzl2 #CyberSecurity #ThreatIntel #InfoSec
@fletch_ai
28 Jan 2025
47 Impressions
0 Retweets
1 Like
0 Bookmarks
0 Replies
0 Quotes
Apache Solr Vulnerabilities CVE-2024-52012 and CVE-2025-24814 Expose Systems to File Write and Code Execution Risks https://t.co/7o0N7idjhR
@Dinosn
27 Jan 2025
2018 Impressions
10 Retweets
22 Likes
3 Bookmarks
0 Replies
0 Quotes
CVE-2025-24814 Core creation allows users to replace "trusted" configset files with arbitrary configuration Solr instances that (1) use the "FileSystemConfigSetService" component (… https://t.co/jwDKR1X4Vb
@CVEnew
27 Jan 2025
499 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
CVE-2025-24814: Apache Solr: Core-creation with "trusted" configset can use arbitrary untrusted files https://t.co/gpIKdVQC7t CVE-2024-52012: Apache Solr: Configset upload on Windows allows arbitrary path write-access https://t.co/OygBilIUyF
@oss_security
26 Jan 2025
259 Impressions
0 Retweets
2 Likes
0 Bookmarks
0 Replies
0 Quotes