CVE-2023-50291
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2023-50291
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2023-50291.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2023-50291
- Aliases
- Downstream
- Published
- 2024-02-09T18:15:08Z
- Modified
- 2025-08-09T20:01:27Z
- Severity
-
- 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
- Summary
- [none]
- Details
-
Insufficiently Protected Credentials vulnerability in Apache Solr.
This issue affects Apache Solr: from 6.0.0 through 8.11.2, from 9.0.0 before 9.3.0. One of the two endpoints that publishes the Solr process' Java system properties, /admin/info/properties, was only setup to hide system properties that had "password" contained in the name. There are a number of sensitive system properties, such as "basicauth" and "aws.secretKey" do not contain "password", thus their values were published via the "/admin/info/properties" endpoint. This endpoint populates the list of System Properties on the home screen of the Solr Admin page, making the exposed credentials visible in the UI.
This /admin/info/properties endpoint is protected under the "config-read" permission. Therefore, Solr Clouds with Authorization enabled will only be vulnerable through logged-in users that have the "config-read" permission. Users are recommended to upgrade to version 9.3.0 or 8.11.3, which fixes the issue. A single option now controls hiding Java system property for all endpoints, "-Dsolr.hiddenSysProps". By default all known sensitive properties are hidden (including "-Dbasicauth"), as well as any property with a name containing "secret" or "password".
Users who cannot upgrade can also use the following Java system property to fix the issue: '-Dsolr.redaction.system.pattern=.(password|secret|basicauth).'
- References
Affected packages
Git / github.com/apache/lucene-solr
Affected ranges
- Type
- GIT
- Repo
- https://github.com/apache/lucene-solr
- Events
- Type
- GIT
- Repo
- https://github.com/apache/solr
- Events
Database specific
{
"vanir_signatures": [
{
"digest": {
"threshold": 0.9,
"line_hashes": [
"145950878721813815119840429926286895333",
"279219443369924851341529570268620277781",
"47404165902947642640036542661205214204",
"169101858295024282667194026999093917283",
"173591880144675816536507357265442280366",
"169665363638312240546336440421124439087",
"286886363535559869075341286480458122574",
"145157735819292160271632747351723549169",
"189921469243910505070427241441146974216",
"257464447953265741387443493046991254343",
"42875174629713334866419150549692408956",
"146151613370571921459097351507391154937",
"304645102717691638051616163523675045429",
"218426042592743008860158813010110587814",
"287104710201497103725759348240800383255",
"85964195859195396182656033608411153967",
"261111085148972644972311641062643573270",
"166000574947818472161352855963296226803",
"5675811028826408893780936274016108475",
"18669441492927993032197121788502701408",
"65227023363660792265070704212402830861",
"301701420313075603708144336162741941466",
"107946548863198385996677075008776826449",
"261196531354595849861411138547980864830",
"47130351468436075670721617892598044374",
"251209949012670997136324439789549355985",
"59120202595107203679396152179419311773",
"19085264142944754953925556870036293242",
"61746676161880167955662903418600930476",
"40578649312447310803839150578865496454",
"235595443859870725961053886268390892382",
"65888087281617365007669214778786591629",
"152852800841082517120453355965105345730",
"103732554600758346897195231985863227101",
"263698458938915614266199574746147561268",
"315374383112832590656899271197045003800",
"198002117815639835476457185782524760488",
"200595216416251663248214657013501214296",
"111187565419546432400861365594889313646",
"124500093291302778885799139597059202445",
"191741179788439909732238965020260920063",
"27514752572686809852831765023268561844",
"174858340643681314123800594709940223144",
"149196043642245949813388559474039009315",
"221760681685855310090103179404101241058",
"45746187450830731636952903872593581266",
"125870587684668564431109697884277567871",
"52645265738959854958573471376383975220",
"45774825275541342959519771207747713449",
"232575873871258198121205119872118518944",
"272110401899160900777266161743135164852",
"256350144201840980081361660034405278257",
"40578649312447310803839150578865496454",
"235595443859870725961053886268390892382",
"65888087281617365007669214778786591629",
"268012433496557371529410863590127915733",
"34320864807262228094454205443279556516",
"301578319312260499860990287018756159221",
"55737886227489091385311887902443188288",
"242961669962817791402475704122521044456",
"89600731880566887635253303624131628758",
"198002117815639835476457185782524760488",
"85706286974167143324715953996668504100",
"87540728649015908277553882957000296313",
"145145773843481399916224894341755603006",
"310002017910971024815399972940293326835",
"48188608043698371306562096289964512048"
]
},
"id": "CVE-2023-50291-05108f19",
"source": "https://github.com/apache/solr/commit/de33f50ce79ec1d156faf204553012037e2bc1cb",
"signature_version": "v1",
"signature_type": "Line",
"target": {
"file": "solr/solrj/src/java/org/apache/solr/common/util/MapWriterJSONWriter.java"
},
"deprecated": false
},
{
"digest": {
"function_hash": "51834489256182559139026994675408971526",
"length": 89.0
},
"id": "CVE-2023-50291-063d6d17",
"source": "https://github.com/apache/solr/commit/de33f50ce79ec1d156faf204553012037e2bc1cb",
"signature_version": "v1",
"signature_type": "Function",
"target": {
"file": "solr/solrj/src/java/org/apache/solr/common/cloud/Replica.java",
"function": "writeMap"
},
"deprecated": false
},
{
"digest": {
"threshold": 0.9,
"line_hashes": [
"296356716659756408587438746448839949992",
"170193607063287726432903373333732579001",
"251541206984329892495980828099736036176",
"185691147976158809519387467370298118413",
"331958625323874585739983991507232826565",
"93333971628170644825299419357138109233",
"300687831096331698869190978706977451792",
"88412802733465294357219668599665497393",
"204922079048774335261705863612232939559",
"3955645406301531120993654833830335201",
"41978764357975124543788134432116781072",
"71002434480513520168903507200377003550"
]
},
"id": "CVE-2023-50291-1441eb14",
"source": "https://github.com/apache/solr/commit/de33f50ce79ec1d156faf204553012037e2bc1cb",
"signature_version": "v1",
"signature_type": "Line",
"target": {
"file": "solr/solrj/src/java/org/apache/solr/common/cloud/ZkNodeProps.java"
},
"deprecated": false
},
{
"digest": {
"threshold": 0.9,
"line_hashes": [
"175721561552620765266002452378564401387",
"177376878110520926738581554357072649374",
"257082939152999616752739585746759337344",
"145846973058176040320137230604006032802",
"312020293698963934760293766225369745199",
"201593897011690018515899218734077231754",
"13221519057870394673256089430964958351",
"45705142788833962358132153070992461474",
"314667290422789414978593865389967333945",
"212422502718270308499084405961802347553",
"255117673092118807689134995451824195287",
"59095542691152607282052653588886187637",
"127745243487129082417804945327552310069",
"137051831916286752327226278465087317814",
"251852722681427219456374373838039809755",
"95989846609376370455648453768585357304",
"27880280180083266136024422048724346813",
"223333418726175719200086644918844430880",
"35598005821818252036306983506715167941",
"16360914789584744841344074694488884784",
"250986203901596412694742530466532777811",
"229122004655344639743352226469936792546",
"334198020692871001923908336889957282840",
"52303942102817703663840450586254426592",
"196448962099159203097782697333567260893",
"4751322588498886121538934577539447588",
"310234271070646042903609146192639721103",
"112542688482582407366777557322775717439",
"160892988433819508455166084866740107525",
"249132880193225619799438210765682559426",
"103135351710302510204084521651766089582",
"279168497321846606209892070343761612247",
"174999862395881724602815084008548640243",
"276090860831880749733369232962947874793"
]
},
"id": "CVE-2023-50291-24187efc",
"source": "https://github.com/apache/solr/commit/de33f50ce79ec1d156faf204553012037e2bc1cb",
"signature_version": "v1",
"signature_type": "Line",
"target": {
"file": "solr/solrj/src/java/org/apache/solr/common/cloud/Replica.java"
},
"deprecated": false
},
{
"digest": {
"function_hash": "36429138875010129727494935955935798241",
"length": 448.0
},
"id": "CVE-2023-50291-29a9a9f8",
"source": "https://github.com/apache/solr/commit/de33f50ce79ec1d156faf204553012037e2bc1cb",
"signature_version": "v1",
"signature_type": "Function",
"target": {
"file": "solr/solrj/src/java/org/apache/solr/common/util/MapWriterJSONWriter.java",
"function": "writeMapWriter"
},
"deprecated": false
},
{
"digest": {
"threshold": 0.9,
"line_hashes": [
"339586436248805713974656449230581392562",
"260010008032471614199972334847950248876",
"189313110821310504729385609732724626043",
"213948434768259208776724525625248205131",
"162707342704516855862183428323135853148",
"251506959300448792085380938028947300163",
"284048031456519883905632973464592796816",
"317392649686243337995600595244889844046"
]
},
"id": "CVE-2023-50291-3209f1a6",
"source": "https://github.com/apache/solr/commit/de33f50ce79ec1d156faf204553012037e2bc1cb",
"signature_version": "v1",
"signature_type": "Line",
"target": {
"file": "solr/solrj/src/java/org/apache/solr/common/util/Utils.java"
},
"deprecated": false
},
{
"digest": {
"function_hash": "313277085880449515107072920886107337482",
"length": 398.0
},
"id": "CVE-2023-50291-36ea8c38",
"source": "https://github.com/apache/solr/commit/de33f50ce79ec1d156faf204553012037e2bc1cb",
"signature_version": "v1",
"signature_type": "Function",
"target": {
"file": "solr/solrj/src/java/org/apache/solr/common/util/MapWriterJSONWriter.java",
"function": "writeIter"
},
"deprecated": false
},
{
"digest": {
"function_hash": "57793228189813093723188402897794905376",
"length": 753.0
},
"id": "CVE-2023-50291-58a9bde0",
"source": "https://github.com/apache/solr/commit/de33f50ce79ec1d156faf204553012037e2bc1cb",
"signature_version": "v1",
"signature_type": "Function",
"target": {
"file": "solr/solrj/src/java/org/apache/solr/common/cloud/Replica.java",
"function": "_allPropsWriter"
},
"deprecated": false
},
{
"digest": {
"function_hash": "76952350232616870463142494469231016772",
"length": 220.0
},
"id": "CVE-2023-50291-5a606228",
"source": "https://github.com/apache/solr/commit/de33f50ce79ec1d156faf204553012037e2bc1cb",
"signature_version": "v1",
"signature_type": "Function",
"target": {
"file": "solr/solrj/src/java/org/apache/solr/common/cloud/DocCollection.java",
"function": "write"
},
"deprecated": false
},
{
"digest": {
"function_hash": "261311684760066462503027567921683391183",
"length": 1695.0
},
"id": "CVE-2023-50291-68fe3cb8",
"source": "https://github.com/apache/solr/commit/de33f50ce79ec1d156faf204553012037e2bc1cb",
"signature_version": "v1",
"signature_type": "Function",
"target": {
"file": "solr/core/src/java/org/apache/solr/handler/admin/ZookeeperInfoHandler.java",
"function": "printPaginatedCollections"
},
"deprecated": false
},
{
"digest": {
"threshold": 0.9,
"line_hashes": [
"333869824161913905132136120513996781788",
"27557052237007889563002521263027654037",
"269717394386932925003221068112613434079",
"333423174175431331267325677628566868211",
"119836189645930259509123474856367546915",
"168461230353978535477214451324966596222",
"5176701371843093066114448782882106188",
"257217487074826014395626453767824684160"
]
},
"id": "CVE-2023-50291-6d704ed3",
"source": "https://github.com/apache/solr/commit/de33f50ce79ec1d156faf204553012037e2bc1cb",
"signature_version": "v1",
"signature_type": "Line",
"target": {
"file": "solr/solrj/src/java/org/apache/solr/common/MapWriter.java"
},
"deprecated": false
},
{
"digest": {
"threshold": 0.9,
"line_hashes": [
"42633374478483664584880606362384652104",
"168827807237220973968104160975096691353",
"276118249451591731237346006262099432209",
"53336396271342735074797460221492143953",
"16563996948560988627519018789737194488",
"297170480961547984231109709004203818968",
"142240092632428837105334404102223631941"
]
},
"id": "CVE-2023-50291-70760f3e",
"source": "https://github.com/apache/lucene-solr/commit/baa7c80af4278cc8951a344d8e9320386588d12d",
"signature_version": "v1",
"signature_type": "Line",
"target": {
"file": "solr/solrj/src/test/org/apache/solr/client/solrj/io/stream/CloudAuthStreamTest.java"
},
"deprecated": false
},
{
"digest": {
"threshold": 0.9,
"line_hashes": [
"190019462118997954606971094309741130603",
"237179083812634130889319726042486049213",
"155457605224086066920018317887408226258",
"84502295110267684593370215017175123580",
"10873144628089594767597546022836220349",
"40812839483540060489178076651040423511",
"197588040595289848873249040457061994998",
"305767223277710999442536515673581540461",
"99737993822650183332317292562959360408",
"97080823520941960879467737093718315609",
"11589244325593838467040576493783667438",
"278742141852305497517003284697757736057",
"232923696808870097601711356546701431125",
"253709689068800446311650294959945620069",
"201113569455978970827154390810000608934",
"307764527043584055514744765901841954767",
"303411987224565658768082512102040562584",
"286256749293382044431914080469490651075",
"307725217704417011634059268341388118456",
"321900032113047182787330439872874651260",
"104733098361206955947259833142799033645",
"333641452350096157175874134801542434313",
"164380715798187381656742806626638550817",
"148590535484900260733017485979785493987",
"157799203306887372564645381967539416704",
"149216488193570091754023779871982520640"
]
},
"id": "CVE-2023-50291-72b0ac69",
"source": "https://github.com/apache/solr/commit/de33f50ce79ec1d156faf204553012037e2bc1cb",
"signature_version": "v1",
"signature_type": "Line",
"target": {
"file": "solr/solrj/src/java/org/apache/solr/common/cloud/DocCollection.java"
},
"deprecated": false
},
{
"digest": {
"function_hash": "1153734255709628475964548225516073226",
"length": 141.0
},
"id": "CVE-2023-50291-769da38a",
"source": "https://github.com/apache/solr/commit/de33f50ce79ec1d156faf204553012037e2bc1cb",
"signature_version": "v1",
"signature_type": "Function",
"target": {
"file": "solr/solrj/src/java/org/apache/solr/common/util/MapWriterJSONWriter.java",
"function": "add"
},
"deprecated": false
},
{
"digest": {
"function_hash": "310595813972060268414412060528248277974",
"length": 65.0
},
"id": "CVE-2023-50291-8e22bfcc",
"source": "https://github.com/apache/solr/commit/de33f50ce79ec1d156faf204553012037e2bc1cb",
"signature_version": "v1",
"signature_type": "Function",
"target": {
"file": "solr/solrj/src/java/org/apache/solr/common/cloud/ZkNodeProps.java",
"function": "write"
},
"deprecated": false
},
{
"digest": {
"threshold": 0.9,
"line_hashes": [
"121474119486999260429451602491478271799",
"56681228469942769238273725307779681141",
"176425095532158591857377856026326612055",
"149878954307639238487344660577702640576",
"301299540843823857268373120336962663122",
"152949325224857511622330719748147109228",
"238753720776777812264930323943587469857"
]
},
"id": "CVE-2023-50291-904942fb",
"source": "https://github.com/apache/solr/commit/de33f50ce79ec1d156faf204553012037e2bc1cb",
"signature_version": "v1",
"signature_type": "Line",
"target": {
"file": "solr/solrj/src/java/org/apache/solr/common/IteratorWriter.java"
},
"deprecated": false
},
{
"digest": {
"function_hash": "202724212775382592747818997678711793015",
"length": 1855.0
},
"id": "CVE-2023-50291-a29c494a",
"source": "https://github.com/apache/lucene-solr/commit/baa7c80af4278cc8951a344d8e9320386588d12d",
"signature_version": "v1",
"signature_type": "Function",
"target": {
"file": "solr/solrj/src/test/org/apache/solr/client/solrj/io/stream/CloudAuthStreamTest.java",
"function": "setupCluster"
},
"deprecated": false
},
{
"digest": {
"function_hash": "313383081138310312013243324617773977853",
"length": 206.0
},
"id": "CVE-2023-50291-bd634cef",
"source": "https://github.com/apache/solr/commit/de33f50ce79ec1d156faf204553012037e2bc1cb",
"signature_version": "v1",
"signature_type": "Function",
"target": {
"file": "solr/solrj/src/java/org/apache/solr/common/util/MapWriterJSONWriter.java",
"function": "put"
},
"deprecated": false
},
{
"digest": {
"function_hash": "43458734781354344213814963077659924379",
"length": 70.0
},
"id": "CVE-2023-50291-c5caf040",
"source": "https://github.com/apache/solr/commit/de33f50ce79ec1d156faf204553012037e2bc1cb",
"signature_version": "v1",
"signature_type": "Function",
"target": {
"file": "solr/solrj/src/java/org/apache/solr/common/cloud/Replica.java",
"function": "write"
},
"deprecated": false
},
{
"digest": {
"threshold": 0.9,
"line_hashes": [
"163591758916239064387309347312561782608",
"66711353799526256621918024177846326620",
"138471542148721998082336858537075924777",
"188102494582060593622722026754021052874",
"328300450744435674427303806605054338610",
"126769086198631888730044546654791673343",
"151361157194820677335377167858870518441",
"239419879492300518772828387741731349953",
"294762318997110415082304962787126072544",
"222763854477344878512172018535040864703",
"336594435296219960817060764138327698898",
"109773159247230794655646935286675005496",
"174291669851797223785615299367475306166",
"35476055967936911796790636160844476077",
"68256140441681164375731970157037700240",
"15252978446110939543509169653813459426"
]
},
"id": "CVE-2023-50291-ca902609",
"source": "https://github.com/apache/solr/commit/de33f50ce79ec1d156faf204553012037e2bc1cb",
"signature_version": "v1",
"signature_type": "Line",
"target": {
"file": "solr/core/src/java/org/apache/solr/handler/admin/ZookeeperInfoHandler.java"
},
"deprecated": false
},
{
"digest": {
"function_hash": "283237173460267475419381332966002456869",
"length": 307.0
},
"id": "CVE-2023-50291-d9e1b42f",
"source": "https://github.com/apache/solr/commit/de33f50ce79ec1d156faf204553012037e2bc1cb",
"signature_version": "v1",
"signature_type": "Function",
"target": {
"file": "solr/solrj/src/java/org/apache/solr/common/cloud/ClusterState.java",
"function": "write"
},
"deprecated": false
},
{
"digest": {
"function_hash": "98367716799213837125373293721878080880",
"length": 2052.0
},
"id": "CVE-2023-50291-e6cc0070",
"source": "https://github.com/apache/solr/commit/de33f50ce79ec1d156faf204553012037e2bc1cb",
"signature_version": "v1",
"signature_type": "Function",
"target": {
"file": "solr/solrj/src/java/org/apache/solr/common/cloud/DocCollection.java",
"function": "DocCollection"
},
"deprecated": false
},
{
"digest": {
"threshold": 0.9,
"line_hashes": [
"220445254442273177578961012927142995235",
"261278398656837107921566486624540306606",
"163895232720673270767601403558136911684",
"201244068197430790630323320718797311746",
"283697548080466129589397098732253731198",
"23117421263158157213821919508593032842",
"271014615929966631343767996810369002153",
"60184535495195858427701941578955412799",
"225451489452430882517015020750804147436",
"256522995405273031322138798857859151521",
"150675742377418311191911943187552338960",
"141462777316107979007755754444451028787",
"251525203786272257305757740582014290016",
"186524137900396273428675289000252032958",
"339860898689684136387555917161937922043",
"309932765183688289410390490735845687014",
"129023720701615886599947083557159555483",
"151396563710676750962194957887648030231",
"255902487807852511342607099027867026503",
"309784412634233191336811285693567313145",
"213722267436574433833362233418080159278",
"45240387060984228403432533100117464347"
]
},
"id": "CVE-2023-50291-ee1aeec7",
"source": "https://github.com/apache/solr/commit/de33f50ce79ec1d156faf204553012037e2bc1cb",
"signature_version": "v1",
"signature_type": "Line",
"target": {
"file": "solr/solrj/src/java/org/apache/solr/common/cloud/ClusterState.java"
},
"deprecated": false
},
{
"digest": {
"threshold": 0.9,
"line_hashes": [
"32277622791352742808233526661323534030",
"90438860646719168780772162001756985753",
"232923696808870097601711356546701431125",
"205579275105017649642897873446782948355",
"171446075680935296243093305356594241864",
"115006342058549080846606701845905267237",
"88412802733465294357219668599665497393",
"204922079048774335261705863612232939559",
"83812003949464308468521745737027055504",
"102570821949866731521362472442292591932",
"288458268270403830014500231199354781349"
]
},
"id": "CVE-2023-50291-f132bc09",
"source": "https://github.com/apache/solr/commit/de33f50ce79ec1d156faf204553012037e2bc1cb",
"signature_version": "v1",
"signature_type": "Line",
"target": {
"file": "solr/solrj/src/java/org/apache/solr/common/cloud/Slice.java"
},
"deprecated": false
},
{
"digest": {
"function_hash": "310595813972060268414412060528248277974",
"length": 65.0
},
"id": "CVE-2023-50291-f8bb3f95",
"source": "https://github.com/apache/solr/commit/de33f50ce79ec1d156faf204553012037e2bc1cb",
"signature_version": "v1",
"signature_type": "Function",
"target": {
"file": "solr/solrj/src/java/org/apache/solr/common/cloud/Slice.java",
"function": "write"
},
"deprecated": false
},
{
"digest": {
"function_hash": "107469448363606212838747215837886474128",
"length": 225.0
},
"id": "CVE-2023-50291-f91c7bf6",
"source": "https://github.com/apache/solr/commit/de33f50ce79ec1d156faf204553012037e2bc1cb",
"signature_version": "v1",
"signature_type": "Function",
"target": {
"file": "solr/solrj/src/java/org/apache/solr/common/util/MapWriterJSONWriter.java",
"function": "handleUnknownClass"
},
"deprecated": false
}
]
}