Django REST framework

Vulnerability Instance

Lookup for vulnerabilities affecting packages.

Vulnerability_idVCID-keda-efkh-y3fg
Summary
Apache Solr allows read access to host environmet variables
Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache Solr.

The Solr Metrics API publishes all unprotected environment variables available to each Apache Solr instance. Users are able to specify which environment variables to hide, however, the default list is designed to work for known secret Java system properties. Environment variables cannot be strictly defined in Solr, like Java system properties can be, and may be set for the entire host, unlike Java system properties which are set per-Java-proccess.

The Solr Metrics API is protected by the "metrics-read" permission. Therefore, Solr Clouds with Authorization setup will only be vulnerable via users with the "metrics-read" permission.

This issue affects Apache Solr: from 9.0.0 before 9.3.0.

Users are recommended to upgrade to version 9.3.0 or later, in which environment variables are not published via the Metrics API.
Aliases
0
alias CVE-2023-50290
1
alias GHSA-gg7w-pw2r-x2cq
Fixed_packages
0
url pkg:deb/debian/lucene-solr@0?distro=trixie
purl pkg:deb/debian/lucene-solr@0?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/lucene-solr@0%3Fdistro=trixie
1
url pkg:deb/debian/lucene-solr@3.6.2%2Bdfsg-24?distro=trixie
purl pkg:deb/debian/lucene-solr@3.6.2%2Bdfsg-24?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/lucene-solr@3.6.2%252Bdfsg-24%3Fdistro=trixie
2
url pkg:deb/debian/lucene-solr@3.6.2%2Bdfsg-26?distro=trixie
purl pkg:deb/debian/lucene-solr@3.6.2%2Bdfsg-26?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/lucene-solr@3.6.2%252Bdfsg-26%3Fdistro=trixie
3
url pkg:deb/debian/lucene-solr@3.6.2%2Bdfsg-27?distro=trixie
purl pkg:deb/debian/lucene-solr@3.6.2%2Bdfsg-27?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/lucene-solr@3.6.2%252Bdfsg-27%3Fdistro=trixie
4
url pkg:maven/org.apache.solr/solr-core@9.3.0
purl pkg:maven/org.apache.solr/solr-core@9.3.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-3gq7-8e2z-yqcv
1
vulnerability VCID-418m-x1un-gufd
2
vulnerability VCID-5781-s1ny-q7ey
3
vulnerability VCID-hpys-9ncu-3bgv
4
vulnerability VCID-t4p6-84y8-kbbu
5
vulnerability VCID-uaxq-nmwp-5uct
6
vulnerability VCID-v5ka-6bd4-33ft
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.solr/solr-core@9.3.0
Affected_packages
0
url pkg:maven/org.apache.solr/solr-core@9.0.0
purl pkg:maven/org.apache.solr/solr-core@9.0.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-3gq7-8e2z-yqcv
1
vulnerability VCID-418m-x1un-gufd
2
vulnerability VCID-5781-s1ny-q7ey
3
vulnerability VCID-hpys-9ncu-3bgv
4
vulnerability VCID-jc41-ky5q-tkhv
5
vulnerability VCID-keda-efkh-y3fg
6
vulnerability VCID-qkt3-eevh-ekcr
7
vulnerability VCID-t4p6-84y8-kbbu
8
vulnerability VCID-uaxq-nmwp-5uct
9
vulnerability VCID-v5ka-6bd4-33ft
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.solr/solr-core@9.0.0
1
url pkg:maven/org.apache.solr/solr-core@9.1.0
purl pkg:maven/org.apache.solr/solr-core@9.1.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-3gq7-8e2z-yqcv
1
vulnerability VCID-418m-x1un-gufd
2
vulnerability VCID-5781-s1ny-q7ey
3
vulnerability VCID-hpys-9ncu-3bgv
4
vulnerability VCID-jc41-ky5q-tkhv
5
vulnerability VCID-keda-efkh-y3fg
6
vulnerability VCID-qkt3-eevh-ekcr
7
vulnerability VCID-t4p6-84y8-kbbu
8
vulnerability VCID-uaxq-nmwp-5uct
9
vulnerability VCID-v5ka-6bd4-33ft
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.solr/solr-core@9.1.0
2
url pkg:maven/org.apache.solr/solr-core@9.1.1
purl pkg:maven/org.apache.solr/solr-core@9.1.1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-3gq7-8e2z-yqcv
1
vulnerability VCID-418m-x1un-gufd
2
vulnerability VCID-5781-s1ny-q7ey
3
vulnerability VCID-hpys-9ncu-3bgv
4
vulnerability VCID-jc41-ky5q-tkhv
5
vulnerability VCID-keda-efkh-y3fg
6
vulnerability VCID-qkt3-eevh-ekcr
7
vulnerability VCID-t4p6-84y8-kbbu
8
vulnerability VCID-uaxq-nmwp-5uct
9
vulnerability VCID-v5ka-6bd4-33ft
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.solr/solr-core@9.1.1
3
url pkg:maven/org.apache.solr/solr-core@9.2.0
purl pkg:maven/org.apache.solr/solr-core@9.2.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-3gq7-8e2z-yqcv
1
vulnerability VCID-418m-x1un-gufd
2
vulnerability VCID-5781-s1ny-q7ey
3
vulnerability VCID-hpys-9ncu-3bgv
4
vulnerability VCID-jc41-ky5q-tkhv
5
vulnerability VCID-keda-efkh-y3fg
6
vulnerability VCID-qkt3-eevh-ekcr
7
vulnerability VCID-t4p6-84y8-kbbu
8
vulnerability VCID-uaxq-nmwp-5uct
9
vulnerability VCID-v5ka-6bd4-33ft
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.solr/solr-core@9.2.0
4
url pkg:maven/org.apache.solr/solr-core@9.2.1
purl pkg:maven/org.apache.solr/solr-core@9.2.1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-3gq7-8e2z-yqcv
1
vulnerability VCID-418m-x1un-gufd
2
vulnerability VCID-5781-s1ny-q7ey
3
vulnerability VCID-hpys-9ncu-3bgv
4
vulnerability VCID-jc41-ky5q-tkhv
5
vulnerability VCID-keda-efkh-y3fg
6
vulnerability VCID-qkt3-eevh-ekcr
7
vulnerability VCID-t4p6-84y8-kbbu
8
vulnerability VCID-uaxq-nmwp-5uct
9
vulnerability VCID-v5ka-6bd4-33ft
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.solr/solr-core@9.2.1
References
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-50290.json
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-50290.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2023-50290
reference_id
reference_type
scores
0
value 0.92562
scoring_system epss
scoring_elements 0.99737
published_at 2026-04-02T12:55:00Z
1
value 0.92874
scoring_system epss
scoring_elements 0.99768
published_at 2026-04-07T12:55:00Z
2
value 0.92874
scoring_system epss
scoring_elements 0.99771
published_at 2026-04-21T12:55:00Z
3
value 0.92874
scoring_system epss
scoring_elements 0.9977
published_at 2026-04-18T12:55:00Z
4
value 0.92874
scoring_system epss
scoring_elements 0.99769
published_at 2026-04-13T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2023-50290
2
reference_url https://github.com/apache/lucene-solr
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/apache/lucene-solr
3
reference_url https://github.com/apache/solr/commit/35fc4bdc48171d9a64251c54a1e76deb558cf9d8
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/apache/solr/commit/35fc4bdc48171d9a64251c54a1e76deb558cf9d8
4
reference_url https://issues.apache.org/jira/browse/SOLR-16808
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://issues.apache.org/jira/browse/SOLR-16808
5
reference_url https://nvd.nist.gov/vuln/detail/CVE-2023-50290
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2023-50290
6
reference_url https://solr.apache.org/security.html#cve-2023-50290-apache-solr-allows-read-access-to-host-environment-variables
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-05-09T20:17:07Z/
url https://solr.apache.org/security.html#cve-2023-50290-apache-solr-allows-read-access-to-host-environment-variables
7
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2258132
reference_id 2258132
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2258132
8
reference_url https://github.com/advisories/GHSA-gg7w-pw2r-x2cq
reference_id GHSA-gg7w-pw2r-x2cq
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-gg7w-pw2r-x2cq
Weaknesses
0
cwe_id 200
name Exposure of Sensitive Information to an Unauthorized Actor
description The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
1
cwe_id 1035
name OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
description Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2017.
2
cwe_id 937
name OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
description Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2013.
Exploits
Severity_range_score4.0 - 6.9
Exploitability2.0
Weighted_severity6.2
Risk_score10.0
Resource_urlhttp://public2.vulnerablecode.io/vulnerabilities/VCID-keda-efkh-y3fg