CVE-2023-50291: 
Java vulnerability analysis and mitigation

CVE-2023-50291 is an Insufficiently Protected Credentials vulnerability affecting Apache Solr versions from 6.0.0 through 8.11.2 and from 9.0.0 before 9.3.0. The vulnerability was discovered in early 2024 and involves the exposure of sensitive system properties through the /admin/info/properties endpoint (Vendor Advisory, NVD).

The vulnerability stems from inconsistent redaction logic in the /admin/info/properties endpoint, which was configured to hide only system properties containing the word 'password'. This allowed the exposure of other sensitive properties like 'basicauth' and 'aws.secretKey' through the endpoint. The exposed credentials become visible in the Solr Admin UI's home screen. The vulnerability has been assigned a CVSS v3.1 base score of 7.5 (HIGH) with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N (NVD).

The vulnerability allows users with 'config-read' permission to view sensitive system properties and credentials through the Solr Admin UI. For Solr Clouds with Authorization enabled, the vulnerability is limited to logged-in users who have the 'config-read' permission (Vendor Advisory).

Users are recommended to upgrade to version 9.3.0 or 8.11.3, which implements consistent system property redaction logic. The fix introduces a single option '-Dsolr.hiddenSysProps' that controls hiding Java system properties for all endpoints. By default, all known sensitive properties are hidden, including properties containing 'secret' or 'password'. For users unable to upgrade, a workaround is available by setting the Java system property: '-Dsolr.redaction.system.pattern=.(password|secret|basicauth).' (Vendor Advisory).