Vulnerability Description
Relative Path Traversal vulnerability in Apache Solr. Solr instances running on Windows are vulnerable to arbitrary filepath write-access, due to a lack of input-sanitation in the "configset upload" API. Commonly known as a "zipslip", maliciously constructed ZIP files can use relative filepaths to write data to unanticipated parts of the filesystem. This issue affects Apache Solr: from 6.6 through 9.7.0. Users are recommended to upgrade to version 9.8.0, which fixes the issue. Users unable to upgrade may also safely prevent the issue by using Solr's "Rule-Based Authentication Plugin" to restrict access to the configset upload API, so that it can only be accessed by a trusted set of administrators/users.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Apache | Solr | >= 6.6.0, < 9.8.0 |
Related Weaknesses (CWE)
References
- https://lists.apache.org/thread/yp39pgbv4vf1746pf5yblz84lv30vfxdMailing ListVendor Advisory
- http://www.openwall.com/lists/oss-security/2025/01/26/2Mailing ListThird Party Advisory
FAQ
What is CVE-2024-52012?
CVE-2024-52012 is a vulnerability with a CVSS score of 5.4 (MEDIUM). Relative Path Traversal vulnerability in Apache Solr. Solr instances running on Windows are vulnerable to arbitrary filepath write-access, due to a lack of input-sanitation in the "configset upload" ...
How severe is CVE-2024-52012?
CVE-2024-52012 has been rated MEDIUM with a CVSS base score of 5.4/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2024-52012?
Check the references section above for vendor advisories and patch information. Affected products include: Apache Solr.