CVE-2024-45216

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2024-45216

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-45216.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2024-45216

Aliases

Downstream

UBUNTU-CVE-2024-45216

Published

2024-10-16T08:15:05Z

Modified

2025-07-02T00:48:59Z

Summary

[none]

Details

Improper Authentication vulnerability in Apache Solr.

Solr instances using the PKIAuthenticationPlugin, which is enabled by default when Solr Authentication is used, are vulnerable to Authentication bypass. A fake ending at the end of any Solr API URL path, will allow requests to skip Authentication while maintaining the API contract with the original URL Path. This fake ending looks like an unprotected API path, however it is stripped off internally after authentication but before API routing.

This issue affects Apache Solr: from 5.3.0 before 8.11.4, from 9.0.0 before 9.7.0.

Users are recommended to upgrade to version 9.7.0, or 8.11.4, which fix the issue.

References

Affected packages

Git / github.com/apache/lucene-solr

Affected ranges

Type: GIT
Repo: https://github.com/apache/lucene-solr
Events: Introduced

cb922f860e8f7522287b55ea4bcd1059219bc1b3

Fixed

e27f44e3d78dfcec230c97e0a1240e3751daeff9

Type: GIT
Repo: https://github.com/apache/solr
Events: Introduced

a4eb7aa123dc53f8dac74d80b66a490f2d6b4a26

Fixed

675a41516e3f3bacfc975590773e7abdca444ff4