CVE-2024-45217— Apache Solr: ConfigSets created during a backup restore command are trusted implicitly

Apache Solr: ConfigSets created during a backup restore command are trusted implicitly

Insecure Default Initialization of Resource vulnerability in Apache Solr. New ConfigSets that are created via a Restore command, which copy a configSet from the backup and give it a new name, are created without setting the "trusted" metadata. ConfigSets that do not contain the flag are trusted implicitly if the metadata is missing, therefore this leads to "trusted" ConfigSets that may not have been created with an Authenticated request. "trusted" ConfigSets are able to load custom code into classloaders, therefore the flag is supposed to only be set when the request that uploads the ConfigSet is Authenticated & Authorized. This issue affects Apache Solr: from 6.6.0 before 8.11.4, from 9.0.0 before 9.7.0. This issue does not affect Solr instances that are secured via Authentication/Authorization. Users are primarily recommended to use Authentication and Authorization when running Solr. However, upgrading to version 9.7.0, or 8.11.4 will mitigate this issue otherwise.

N/A

不安全的默认资源初始化

Apache Solr 安全漏洞

Apache Solr是美国阿帕奇（Apache）基金会的一款基于Lucene（一款全文搜索引擎）的搜索服务器。该产品支持层面搜索、垂直搜索、高亮显示搜索结果等。 Apache Solr 6.6.0至8.11.4之前版本和9.0.0至9.7.0之前版本存在安全漏洞，该漏洞源于存在资源默认初始化不安全漏洞，导致未通过认证请求创建的trusted ConfigSets可以加载自定义代码到类加载器中。

N/A

N/A