VulnerableCode Vulnerability Details

Staging Environment: Content and features may be unstable or change without notice.

Search for vulnerabilities

Vulnerability details: VCID-qkt3-eevh-ekcr

Essentials
Severities (21)
References (11)
Severity details (12)
Exploits (0)
EPSS
History (1)

Vulnerability ID	VCID-qkt3-eevh-ekcr
Aliases	CVE-2023-50292 GHSA-4wxw-42wx-2wfx
Summary	Apache Solr Schema Designer blindly "trusts" all configsets Incorrect Permission Assignment for Critical Resource, Improper Control of Dynamically-Managed Code Resources vulnerability in Apache Solr. This issue affects Apache Solr from 8.10.0 through 8.11.2, from 9.0.0 before 9.3.0. The Schema Designer was introduced to allow users to more easily configure and test new Schemas and configSets. However, when the feature was created, the "trust" (authentication) of these configSets was not considered. External library loading is only available to configSets that are "trusted" (created by authenticated users), thus non-authenticated users are unable to perform Remote Code Execution. Since the Schema Designer loaded configSets without taking their "trust" into account, configSets that were created by unauthenticated users were allowed to load external libraries when used in the Schema Designer. Users are recommended to upgrade to version 9.3.0 or 8.11.3, both of which fix the issue.
Status	Published
Exploitability	0.5
Weighted Severity	6.8
Risk	3.4
Affected and Fixed Packages	Package Details

Weaknesses (3)

CWE-732	Incorrect Permission Assignment for Critical Resource
CWE-1035	OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
CWE-937	OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities

System	Score	Found at
cvssv3	6.3	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-50292.json
epss	0.40116	https://api.first.org/data/v1/epss?cve=CVE-2023-50292
epss	0.40116	https://api.first.org/data/v1/epss?cve=CVE-2023-50292
epss	0.40116	https://api.first.org/data/v1/epss?cve=CVE-2023-50292
epss	0.40116	https://api.first.org/data/v1/epss?cve=CVE-2023-50292
epss	0.40116	https://api.first.org/data/v1/epss?cve=CVE-2023-50292
epss	0.40116	https://api.first.org/data/v1/epss?cve=CVE-2023-50292
epss	0.40116	https://api.first.org/data/v1/epss?cve=CVE-2023-50292
epss	0.40116	https://api.first.org/data/v1/epss?cve=CVE-2023-50292
epss	0.40116	https://api.first.org/data/v1/epss?cve=CVE-2023-50292
cvssv3.1_qr	LOW	https://github.com/advisories/GHSA-4wxw-42wx-2wfx
generic_textual	LOW	https://github.com/apache/lucene-solr/commit/6e9ed203b30958396bdfd41760d426b386646865
generic_textual	LOW	https://github.com/apache/solr/commit/d07751cfaa8065bea8bd43f59e758e50d50c2419
generic_textual	LOW	https://issues.apache.org/jira/browse/SOLR-16777
generic_textual	LOW	https://nvd.nist.gov/vuln/detail/CVE-2023-50292
cvssv3.1	7.5	https://solr.apache.org/security.html#cve-2023-50298-apache-solr-can-expose-zookeeper-credentials-via-streaming-expressions
generic_textual	LOW	https://solr.apache.org/security.html#cve-2023-50298-apache-solr-can-expose-zookeeper-credentials-via-streaming-expressions
ssvc	Track	https://solr.apache.org/security.html#cve-2023-50298-apache-solr-can-expose-zookeeper-credentials-via-streaming-expressions
cvssv3.1	7.5	http://www.openwall.com/lists/oss-security/2024/02/09/3
generic_textual	LOW	http://www.openwall.com/lists/oss-security/2024/02/09/3
ssvc	Track	http://www.openwall.com/lists/oss-security/2024/02/09/3

Reference id	Reference type	URL
		https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-50292.json
		https://api.first.org/data/v1/epss?cve=CVE-2023-50292
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-50292
		https://github.com/apache/lucene-solr/commit/6e9ed203b30958396bdfd41760d426b386646865
		https://github.com/apache/solr/commit/d07751cfaa8065bea8bd43f59e758e50d50c2419
		https://issues.apache.org/jira/browse/SOLR-16777
		https://nvd.nist.gov/vuln/detail/CVE-2023-50292
		https://solr.apache.org/security.html#cve-2023-50298-apache-solr-can-expose-zookeeper-credentials-via-streaming-expressions
		http://www.openwall.com/lists/oss-security/2024/02/09/3
2263579		https://bugzilla.redhat.com/show_bug.cgi?id=2263579
GHSA-4wxw-42wx-2wfx		https://github.com/advisories/GHSA-4wxw-42wx-2wfx

No exploits are available.

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:N Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-50292.json

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Found at https://solr.apache.org/security.html#cve-2023-50298-apache-solr-can-expose-zookeeper-credentials-via-streaming-expressions

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-05-08T17:27:33Z/ Found at https://solr.apache.org/security.html#cve-2023-50298-apache-solr-can-expose-zookeeper-credentials-via-streaming-expressions

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Found at http://www.openwall.com/lists/oss-security/2024/02/09/3

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-05-08T17:27:33Z/ Found at http://www.openwall.com/lists/oss-security/2024/02/09/3

Exploit Prediction Scoring System (EPSS)

Percentile	0.9732
EPSS Score	0.40116
Published At	April 2, 2026, 12:55 p.m.

Date	Actor	Action	Source	VulnerableCode Version
2026-04-01T12:50:23.237053+00:00	GithubOSV Importer	Import	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/02/GHSA-4wxw-42wx-2wfx/GHSA-4wxw-42wx-2wfx.json	38.0.0