VulnerableCode Package Details - pkg:maven/org.apache.solr/solr@9.0.0

Search for packages

Vulnerability	Summary	Fixed by
VCID-9dma-s4ye-3ued Aliases: CVE-2024-45217 GHSA-h7w9-c5vx-x7j3	Insecure Default Initialization of Resource vulnerability in Apache Solr New ConfigSets that are created via a Restore command, which copy a configSet from the backup and give it a new name, are created without setting the "trusted" metadata. ConfigSets that do not contain the flag are trusted implicitly if the metadata is missing, therefore this leads to "trusted" ConfigSets that may not have been created with an Authenticated request. "trusted" ConfigSets are able to load custom code into classloaders, therefore the flag is supposed to only be set when the request that uploads the ConfigSet is Authenticated & Authorized. This issue affects Apache Solr: from 6.6.0 before 8.11.4, from 9.0.0 before 9.7.0. This issue does not affect Solr instances that are secured via Authentication/Authorization. Users are primarily recommended to use Authentication and Authorization when running Solr. However, upgrading to version 9.7.0, or 8.11.4 will mitigate this issue otherwise.	9.7.0 Affected by 0 other vulnerabilities.
VCID-vrdm-7wfj-qbht Aliases: CVE-2024-45216 GHSA-mjvf-4h88-6xm3	Improper Authentication vulnerability in Apache Solr Solr instances using the PKIAuthenticationPlugin, which is enabled by default when Solr Authentication is used, are vulnerable to Authentication bypass. A fake ending at the end of any Solr API URL path, will allow requests to skip Authentication while maintaining the API contract with the original URL Path. This fake ending looks like an unprotected API path, however it is stripped off internally after authentication but before API routing. This issue affects Apache Solr: from 5.3.0 before 8.11.4, from 9.0.0 before 9.7.0. Users are recommended to upgrade to version 9.7.0, or 8.11.4, which fix the issue.	9.7.0 Affected by 0 other vulnerabilities.

Vulnerability

Summary

Fixed by

VCID-9dma-s4ye-3ued
Aliases:
CVE-2024-45217
GHSA-h7w9-c5vx-x7j3

Insecure Default Initialization of Resource vulnerability in Apache Solr New ConfigSets that are created via a Restore command, which copy a configSet from the backup and give it a new name, are created without setting the "trusted" metadata. ConfigSets that do not contain the flag are trusted implicitly if the metadata is missing, therefore this leads to "trusted" ConfigSets that may not have been created with an Authenticated request. "trusted" ConfigSets are able to load custom code into classloaders, therefore the flag is supposed to only be set when the request that uploads the ConfigSet is Authenticated & Authorized. This issue affects Apache Solr: from 6.6.0 before 8.11.4, from 9.0.0 before 9.7.0. This issue does not affect Solr instances that are secured via Authentication/Authorization. Users are primarily recommended to use Authentication and Authorization when running Solr. However, upgrading to version 9.7.0, or 8.11.4 will mitigate this issue otherwise.

9.7.0
Affected by 0 other vulnerabilities.

VCID-vrdm-7wfj-qbht
Aliases:
CVE-2024-45216
GHSA-mjvf-4h88-6xm3

Improper Authentication vulnerability in Apache Solr Solr instances using the PKIAuthenticationPlugin, which is enabled by default when Solr Authentication is used, are vulnerable to Authentication bypass. A fake ending at the end of any Solr API URL path, will allow requests to skip Authentication while maintaining the API contract with the original URL Path. This fake ending looks like an unprotected API path, however it is stripped off internally after authentication but before API routing. This issue affects Apache Solr: from 5.3.0 before 8.11.4, from 9.0.0 before 9.7.0. Users are recommended to upgrade to version 9.7.0, or 8.11.4, which fix the issue.

9.7.0
Affected by 0 other vulnerabilities.

Vulnerability	Summary	Aliases
This package is not known to fix vulnerabilities.

Vulnerability

Summary

Aliases

This package is not known to fix vulnerabilities.

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-04-02T12:40:15.713889+00:00	GitLab Importer	Affected by	VCID-vrdm-7wfj-qbht	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.apache.solr/solr/CVE-2024-45216.yml	38.0.0
2026-04-02T12:40:15.647205+00:00	GitLab Importer	Affected by	VCID-9dma-s4ye-3ued	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.apache.solr/solr/CVE-2024-45217.yml	38.0.0
2026-04-01T16:06:42.235578+00:00	GHSA Importer	Affected by	VCID-vrdm-7wfj-qbht	https://github.com/advisories/GHSA-mjvf-4h88-6xm3	38.0.0
2026-04-01T16:06:42.173055+00:00	GHSA Importer	Affected by	VCID-9dma-s4ye-3ued	https://github.com/advisories/GHSA-h7w9-c5vx-x7j3	38.0.0