CVE-2023-50292: 
Java vulnerability analysis and mitigation

A critical security vulnerability was identified in Apache Solr (CVE-2023-50292) affecting versions from 8.10.0 through 8.11.2 and 9.0.0 before 9.3.0. The vulnerability stems from the Schema Designer feature, which was introduced to facilitate the configuration and testing of new Schemas and configSets. The core issue lies in the feature's failure to properly consider the trust (authentication) status of configSets (Solr Security, OSS Security).

The vulnerability is classified as an Incorrect Permission Assignment for Critical Resource and Improper Control of Dynamically-Managed Code Resources issue. The Schema Designer loaded configSets without verifying their trust status, allowing configSets created by unauthenticated users to load external libraries. This bypassed the normal security restriction where external library loading is limited to trusted configSets (those created by authenticated users). The vulnerability has been assigned a CVSS v3.1 base score of 7.5 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N (NVD).

The vulnerability could potentially lead to Remote Code Execution (RCE) by allowing unauthenticated users to load external libraries through untrusted configSets when using the Schema Designer. This represents a significant security risk as it bypasses the intended authentication controls for external library loading (Solr Security).

The recommended mitigation is to upgrade to Apache Solr version 9.3.0 or later, which includes fixes for this vulnerability. For users of version 8.x, upgrading to version 8.11.3 is recommended. These versions implement proper trust verification for configSets in the Schema Designer (Solr Security).