CVE-2023-50298

{"id": "CVE-2023-50298", "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 3.9}]}, "published": "2024-02-09T18:15:08.457", "references": [{"url": "http://www.openwall.com/lists/oss-security/2024/02/09/2", "tags": ["Mailing List"], "source": "security@apache.org"}, {"url": "http://www.openwall.com/lists/oss-security/2024/02/09/3", "tags": ["Mailing List"], "source": "security@apache.org"}, {"url": "https://solr.apache.org/security.html#cve-2023-50298-apache-solr-can-expose-zookeeper-credentials-via-streaming-expressions", "tags": ["Third Party Advisory"], "source": "security@apache.org"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}, {"type": "Secondary", "source": "security@apache.org", "description": [{"lang": "en", "value": "CWE-200"}]}], "descriptions": [{"lang": "en", "value": "Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache Solr.This issue affects Apache Solr: from 6.0.0 through 8.11.2, from 9.0.0 before 9.4.1.\n\nSolr Streaming Expressions allows users to extract data from other Solr Clouds, using a \"zkHost\" parameter.\nWhen original SolrCloud is setup to use ZooKeeper credentials and ACLs, they will be sent to whatever \"zkHost\" the user provides.\nAn attacker could setup a server to mock ZooKeeper, that accepts ZooKeeper requests with credentials and ACLs and extracts the sensitive information,\nthen send a streaming expression using the mock server's address in \"zkHost\".\nStreaming Expressions are exposed via the \"/streaming\" handler, with \"read\" permissions.\n\nUsers are recommended to upgrade to version 8.11.3 or 9.4.1, which fix the issue.\nFrom these versions on, only zkHost values that have the same server address (regardless of chroot), will use the given ZooKeeper credentials and ACLs when connecting.\n\n"}, {"lang": "es", "value": "Exposici\u00f3n de informaci\u00f3n confidencial a una vulnerabilidad de actor no autorizado en Apache Solr. Este problema afecta a Apache Solr: desde 6.0.0 hasta 8.11.2, desde 9.0.0 antes de 9.4.1. Solr Streaming Expressions permite a los usuarios extraer datos de otras nubes Solr, utilizando un par\u00e1metro \"zkHost\". Cuando SolrCloud original est\u00e1 configurado para usar las credenciales y ACL de ZooKeeper, se enviar\u00e1n a cualquier \"zkHost\" que proporcione el usuario. Un atacante podr\u00eda configurar un servidor para simular ZooKeeper, que acepte solicitudes de ZooKeeper con credenciales y ACL y extraiga la informaci\u00f3n confidencial, luego env\u00ede una expresi\u00f3n de transmisi\u00f3n usando la direcci\u00f3n del servidor simulado en \"zkHost\". Las expresiones de transmisi\u00f3n se exponen a trav\u00e9s del controlador \"/streaming\", con permisos de \"lectura\". Se recomienda a los usuarios actualizar a la versi\u00f3n 8.11.3 o 9.4.1, que soluciona el problema. A partir de estas versiones, solo los valores de zkHost que tengan la misma direcci\u00f3n de servidor (independientemente de chroot) utilizar\u00e1n las credenciales y ACL proporcionadas de ZooKeeper al conectarse."}], "lastModified": "2024-02-15T18:40:56.680", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:apache:solr:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "21D17629-7025-4DB8-936C-2C074AC00515", "versionEndExcluding": "8.11.3", "versionStartIncluding": "6.0.0"}, {"criteria": "cpe:2.3:a:apache:solr:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "05682843-ACA2-430C-8BAE-292DD1E9C59E", "versionEndExcluding": "9.4.1", "versionStartIncluding": "9.0.0"}], "operator": "OR"}]}], "sourceIdentifier": "security@apache.org"}