Associated Vulnerability
Title:Apache Solr: Host environment variables are published via the Metrics API (CVE-2023-50290)Description:Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache Solr. The Solr Metrics API publishes all unprotected environment variables available to each Apache Solr instance. Users are able to specify which environment variables to hide, however, the default list is designed to work for known secret Java system properties. Environment variables cannot be strictly defined in Solr, like Java system properties can be, and may be set for the entire host, unlike Java system properties which are set per-Java-proccess. The Solr Metrics API is protected by the "metrics-read" permission. Therefore, Solr Clouds with Authorization setup will only be vulnerable via users with the "metrics-read" permission. This issue affects Apache Solr: from 9.0.0 before 9.3.0. Users are recommended to upgrade to version 9.3.0 or later, in which environment variables are not published via the Metrics API.
Description
Bug bounty and vulnerability research reports by Desai Vinayak — includes CVE-2023-50290 (Apache Solr) and Zscaler subdomain takeover findings.
Readme
# 🧩 Bug Bounty Reports — Desai Vinayak
**🔒 Bug bounty and vulnerability research reports by _Desai Vinayak_.**
This repository collects **passive, non-destructive** vulnerability write-ups and supporting evidence for **coordinated disclosure** and **remediation tracking**.
---
## 📁 Contents
📂 **reports/** — PDF, DOCX, and evidence files for each report:
- 🧠 `Bug_Bounty_Report_Desai_Vinayak_CVE-2023-50290.pdf` — Apache Solr Metrics API information disclosure (**CVE-2023-50290**).
- 🌐 `zscaler_bugbounty_report.pdf` — Potential subdomain takeover findings for selected `zscaler.com` subdomains.
- 📜 `CVE-2023-50290_summary.md` — Markdown summary of the Solr report.
- 📜 `zscaler_subdomain_takeover_summary.md` — Markdown summary of the Zscaler findings.
🧾 **Other files**
- 🤝 `CONTRIBUTING.md` — Guidance for triage teams and vendors.
- 🕵️ `DISCLOSURE_POLICY.md` — Coordinated disclosure expectations.
- 🧩 `ISSUE_TEMPLATE.md` — Template to open remediation/tracking issues.
- ⚙️ `.github/workflows/` — CI placeholders.
- 🚀 `PUBLISH.md` — Quick publish instructions.
---
## 🧠 Summary
This repository currently contains two primary reports produced via **passive reconnaissance**:
### 🔹 Apache Solr — CVE-2023-50290
The Solr Metrics API can expose environment and configuration details that may leak sensitive information.
📄 See the Solr PDF and summary in `/reports`.
### 🔹 Zscaler — Potential Subdomain Takeover
Several `zscaler.com` subdomains resolve to third-party hosts returning provider unconfigured/error pages (e.g., AWS ELB, Acquia, UptimeRobot).
These may be vulnerable to takeover if unprovisioned.
📄 See the Zscaler PDF and summary in `/reports`.
🧷 **All scans and evidence collection were passive and non-destructive:**
DNS lookups, certificate-transparency checks, HTTP headers, and non-invasive content captures.
No credentials, no POST requests, no exploitation performed.
---
## ⚙️ How to Use
👩💻 **Vendors / Triage Teams**
- Open an issue using `ISSUE_TEMPLATE.md`.
- Reference the report filename in `/reports/`.
- Include remediation steps, progress updates, and final status.
🧑🔬 **External Researchers**
- Please follow the coordinated disclosure policy (`DISCLOSURE_POLICY.md`)
before publishing or sharing findings.
---
## 🧰 Remediation Recommendations (High-Level)
✅ Remove or fix unused CNAME records that point to third-party services.
✅ Properly configure custom domains on provider dashboards for services in use.
✅ Restrict access to sensitive admin endpoints (e.g., Solr `/admin/metrics`) and require authentication.
✅ Rotate any secrets that may have been exposed via configuration or environment variables.
✅ Implement DNS monitoring and alerting for unexpected external CNAMEs or CT-log changes.
📎 _Detailed remediation steps are included in each report._
---
## 🤝 Coordinated Disclosure & Contact
**Reporter:** Desai Vinayak
📧 **Email:** [desaivinayak449@gmail.com](mailto:desaivinayak449@gmail.com)
Please acknowledge receipt and provide a remediation timeline when opening issues or contacting the reporter.
Coordinated disclosure is requested — **public disclosure should be delayed until remediation is complete** (see `DISCLOSURE_POLICY.md`).
---
## 📄 License
🪪 This repository is distributed under the **MIT License**.
See `LICENSE` for full terms.
File Snapshot
[4.0K] /data/pocs/46fc4777100aae990d288a8fa92534251f71d9ee
├── [2.6K] live_url.txt
├── [1.4K] nuclei_exposed_more.txt
├── [3.4K] README.md
├── [2.1K] targets.txt
├── [ 57K] urls.txt
├── [1022K] zscaler_bugbounty_report.pdf
└── [5.9K] zscaler_report.txt
1 directory, 7 files
Remarks
1. It is advised to access via the original source first.
2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →