CVE-2025-24814

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2025-24814

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-24814.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2025-24814

Aliases

Related

UBUNTU-CVE-2025-24814

Published

2025-01-27T09:15:14Z

Modified

2025-07-01T16:27:56.881918Z

Severity

5.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L CVSS Calculator

Summary

[none]

Details

Core creation allows users to replace "trusted" configset files with arbitrary configuration

Solr instances that (1) use the "FileSystemConfigSetService" component (the default in "standalone" or "user-managed" mode), and (2) are running without authentication and authorization are vulnerable to a sort of privilege escalation wherein individual "trusted" configset files can be ignored in favor of potentially-untrusted replacements available elsewhere on the filesystem. These replacement config files are treated as "trusted" and can use "<lib>" tags to add to Solr's classpath, which an attacker might use to load malicious code as a searchComponent or other plugin.

This issue affects all Apache Solr versions up through Solr 9.7. Users can protect against the vulnerability by enabling authentication and authorization on their Solr clusters or switching to SolrCloud (and away from "FileSystemConfigSetService"). Users are also recommended to upgrade to Solr 9.8.0, which mitigates this issue by disabling use of "<lib>" tags by default.

References

Affected packages

Debian:11 / lucene-solr

Package

Name: lucene-solr
Purl: pkg:deb/debian/lucene-solr?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

3.6.2+dfsg-23

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:12 / lucene-solr

Package

Name: lucene-solr
Purl: pkg:deb/debian/lucene-solr?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

3.6.2+dfsg-23

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13 / lucene-solr

Package

Name: lucene-solr
Purl: pkg:deb/debian/lucene-solr?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

3.6.2+dfsg-23

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Git / github.com/apache/solr

Affected ranges

Type: GIT
Repo: https://github.com/apache/solr
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

8bf0100e502ade4b8161e4b90f762b117a6ef442

Affected versions

Other

grafts/lucene-oldest

grafts/lucene-solr-copy

grafts/lucene-solr-oldest-merged

grafts/solr-incubator-latest

grafts/solr-incubator-oldest

grafts/solr-latest

grafts/solr-oldest

history/branches/lucene-solr/LUCENE-5622

history/branches/lucene-solr/LUCENE2793

history/branches/lucene-solr/branch_7

history/branches/lucene-solr/cleanup2878

history/branches/lucene-solr/docvalues

history/branches/lucene-solr/jira/lucene-5438-nrt-replication

history/branches/lucene-solr/lucene-6835

history/branches/lucene-solr/lucene-6997

history/branches/lucene-solr/lucene/main

history/branches/lucene-solr/lucene2510

history/branches/lucene-solr/lucene2858

history/branches/lucene-solr/lucene3069

history/branches/lucene-solr/lucene3312

history/branches/lucene-solr/lucene3606

history/branches/lucene-solr/lucene3661

history/branches/lucene-solr/lucene3795_lsp_spatial_module

history/branches/lucene-solr/lucene3846

history/branches/lucene-solr/lucene3969

history/branches/lucene-solr/lucene4055

history/branches/lucene-solr/lucene4199

history/branches/lucene-solr/lucene4236

history/branches/lucene-solr/lucene4335

history/branches/lucene-solr/lucene4446

history/branches/lucene-solr/lucene4547

history/branches/lucene-solr/lucene4765

history/branches/lucene-solr/lucene5178

history/branches/lucene-solr/lucene5207

history/branches/lucene-solr/lucene5339

history/branches/lucene-solr/lucene539399

history/branches/lucene-solr/lucene5468

history/branches/lucene-solr/lucene5487

history/branches/lucene-solr/lucene5493

history/branches/lucene-solr/lucene5611

history/branches/lucene-solr/lucene5666

history/branches/lucene-solr/lucene5675

history/branches/lucene-solr/lucene5752

history/branches/lucene-solr/lucene5858

history/branches/lucene-solr/lucene5969

history/branches/lucene-solr/lucene5995

history/branches/lucene-solr/lucene6196

history/branches/lucene-solr/lucene6238

history/branches/lucene-solr/lucene6271

history/branches/lucene-solr/lucene6299

history/branches/lucene-solr/lucene6487

history/branches/lucene-solr/origin/branch_8_x

history/branches/lucene-solr/pforcodec_3892

history/branches/lucene-solr/pointvalues

history/branches/lucene-solr/preflexfixes

history/branches/lucene-solr/realtime_search

history/branches/lucene-solr/slowclosing

history/branches/lucene-solr/solr/main

history/branches/lucene-solr/solr2452

history/branches/lucene-solr/solr3733

history/branches/lucene-solr/solr5914

history/branches/lucene-solr/solr7787