VulnerableCode Vulnerability Details

Staging Environment: Content and features may be unstable or change without notice.

Search for vulnerabilities

Vulnerability details: VCID-s2n1-qdzh-kqbg

Essentials
Severities (17)
References (8)
Severity details (14)
Exploits (0)
EPSS
History (1)

Vulnerability ID	VCID-s2n1-qdzh-kqbg
Aliases	CVE-2024-52012 GHSA-4p5m-gvpf-f3x5
Summary	Relative Path Traversal vulnerability in Apache Solr. Solr instances running on Windows are vulnerable to arbitrary filepath write-access, due to a lack of input-sanitation in the "configset upload" API. Commonly known as a "zipslip", maliciously constructed ZIP files can use relative filepaths to write data to unanticipated parts of the filesystem. This issue affects Apache Solr: from 6.6 through 9.7.0. Users are recommended to upgrade to version 9.8.0, which fixes the issue. Users unable to upgrade may also safely prevent the issue by using Solr's "Rule-Based Authentication Plugin" to restrict access to the configset upload API, so that it can only be accessed by a trusted set of administrators/users.
Status	Published
Exploitability	0.5
Weighted Severity	6.2
Risk	3.1
Affected and Fixed Packages	Package Details

Weaknesses (3)

CWE-23	Relative Path Traversal
CWE-937	OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-1035	OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities

System	Score	Found at
epss	0.13709	https://api.first.org/data/v1/epss?cve=CVE-2024-52012
epss	0.13709	https://api.first.org/data/v1/epss?cve=CVE-2024-52012
epss	0.13709	https://api.first.org/data/v1/epss?cve=CVE-2024-52012
cvssv4	6.6	https://github.com/apache/solr
generic_textual	MODERATE	https://github.com/apache/solr
cvssv4	6.6	https://github.com/apache/solr/commit/5795edd143b8fcb2ffaf7f278a099b8678adf396
generic_textual	MODERATE	https://github.com/apache/solr/commit/5795edd143b8fcb2ffaf7f278a099b8678adf396
cvssv4	6.6	https://issues.apache.org/jira/browse/SOLR-17543
generic_textual	MODERATE	https://issues.apache.org/jira/browse/SOLR-17543
cvssv3.1	5.4	https://lists.apache.org/thread/yp39pgbv4vf1746pf5yblz84lv30vfxd
cvssv4	6.6	https://lists.apache.org/thread/yp39pgbv4vf1746pf5yblz84lv30vfxd
generic_textual	MODERATE	https://lists.apache.org/thread/yp39pgbv4vf1746pf5yblz84lv30vfxd
ssvc	Track	https://lists.apache.org/thread/yp39pgbv4vf1746pf5yblz84lv30vfxd
cvssv4	6.6	https://nvd.nist.gov/vuln/detail/CVE-2024-52012
generic_textual	MODERATE	https://nvd.nist.gov/vuln/detail/CVE-2024-52012
cvssv4	6.6	http://www.openwall.com/lists/oss-security/2025/01/26/2
generic_textual	MODERATE	http://www.openwall.com/lists/oss-security/2025/01/26/2

Reference id	Reference type	URL
		https://api.first.org/data/v1/epss?cve=CVE-2024-52012
		https://github.com/apache/solr
		https://github.com/apache/solr/commit/5795edd143b8fcb2ffaf7f278a099b8678adf396
		https://issues.apache.org/jira/browse/SOLR-17543
		https://nvd.nist.gov/vuln/detail/CVE-2024-52012
		http://www.openwall.com/lists/oss-security/2025/01/26/2
GHSA-4p5m-gvpf-f3x5		https://github.com/advisories/GHSA-4p5m-gvpf-f3x5
yp39pgbv4vf1746pf5yblz84lv30vfxd		https://lists.apache.org/thread/yp39pgbv4vf1746pf5yblz84lv30vfxd

No exploits are available.

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U Found at https://github.com/apache/solr

Attack Vector (AV)	Attack Complexity (AC)	Attack Requirements (AT)	Privileges Required (PR)	User Interaction (UI)	Vulnerable System Impact Confidentiality (VC)	Vulnerable System Impact Integrity (VI)	Vulnerable System Impact Availability (VA)	Subsequent System Impact Confidentiality (SC)	Subsequent System Impact Integrity (SI)	Subsequent System Impact Availability (SA)
network adjacent local physical	low high	none present	none low high	none passive active	high low none	high low none	high low none	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Attack Requirements (AT)

Privileges Required (PR)

User Interaction (UI)

Vulnerable System Impact Confidentiality (VC)

Vulnerable System Impact Integrity (VI)

Vulnerable System Impact Availability (VA)

Subsequent System Impact Confidentiality (SC)

Subsequent System Impact Integrity (SI)

Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U Found at https://github.com/apache/solr/commit/5795edd143b8fcb2ffaf7f278a099b8678adf396

Attack Vector (AV)	Attack Complexity (AC)	Attack Requirements (AT)	Privileges Required (PR)	User Interaction (UI)	Vulnerable System Impact Confidentiality (VC)	Vulnerable System Impact Integrity (VI)	Vulnerable System Impact Availability (VA)	Subsequent System Impact Confidentiality (SC)	Subsequent System Impact Integrity (SI)	Subsequent System Impact Availability (SA)
network adjacent local physical	low high	none present	none low high	none passive active	high low none	high low none	high low none	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Attack Requirements (AT)

Privileges Required (PR)

User Interaction (UI)

Vulnerable System Impact Confidentiality (VC)

Vulnerable System Impact Integrity (VI)

Vulnerable System Impact Availability (VA)

Subsequent System Impact Confidentiality (SC)

Subsequent System Impact Integrity (SI)

Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U Found at https://issues.apache.org/jira/browse/SOLR-17543

Attack Vector (AV)	Attack Complexity (AC)	Attack Requirements (AT)	Privileges Required (PR)	User Interaction (UI)	Vulnerable System Impact Confidentiality (VC)	Vulnerable System Impact Integrity (VI)	Vulnerable System Impact Availability (VA)	Subsequent System Impact Confidentiality (SC)	Subsequent System Impact Integrity (SI)	Subsequent System Impact Availability (SA)
network adjacent local physical	low high	none present	none low high	none passive active	high low none	high low none	high low none	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Attack Requirements (AT)

Privileges Required (PR)

User Interaction (UI)

Vulnerable System Impact Confidentiality (VC)

Vulnerable System Impact Integrity (VI)

Vulnerable System Impact Availability (VA)

Subsequent System Impact Confidentiality (SC)

Subsequent System Impact Integrity (SI)

Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N Found at https://lists.apache.org/thread/yp39pgbv4vf1746pf5yblz84lv30vfxd

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U Found at https://lists.apache.org/thread/yp39pgbv4vf1746pf5yblz84lv30vfxd

Attack Vector (AV)	Attack Complexity (AC)	Attack Requirements (AT)	Privileges Required (PR)	User Interaction (UI)	Vulnerable System Impact Confidentiality (VC)	Vulnerable System Impact Integrity (VI)	Vulnerable System Impact Availability (VA)	Subsequent System Impact Confidentiality (SC)	Subsequent System Impact Integrity (SI)	Subsequent System Impact Availability (SA)
network adjacent local physical	low high	none present	none low high	none passive active	high low none	high low none	high low none	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Attack Requirements (AT)

Privileges Required (PR)

User Interaction (UI)

Vulnerable System Impact Confidentiality (VC)

Vulnerable System Impact Integrity (VI)

Vulnerable System Impact Availability (VA)

Subsequent System Impact Confidentiality (SC)

Subsequent System Impact Integrity (SI)

Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-01-27T13:34:11Z/ Found at https://lists.apache.org/thread/yp39pgbv4vf1746pf5yblz84lv30vfxd

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U Found at https://nvd.nist.gov/vuln/detail/CVE-2024-52012

Attack Vector (AV)	Attack Complexity (AC)	Attack Requirements (AT)	Privileges Required (PR)	User Interaction (UI)	Vulnerable System Impact Confidentiality (VC)	Vulnerable System Impact Integrity (VI)	Vulnerable System Impact Availability (VA)	Subsequent System Impact Confidentiality (SC)	Subsequent System Impact Integrity (SI)	Subsequent System Impact Availability (SA)
network adjacent local physical	low high	none present	none low high	none passive active	high low none	high low none	high low none	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Attack Requirements (AT)

Privileges Required (PR)

User Interaction (UI)

Vulnerable System Impact Confidentiality (VC)

Vulnerable System Impact Integrity (VI)

Vulnerable System Impact Availability (VA)

Subsequent System Impact Confidentiality (SC)

Subsequent System Impact Integrity (SI)

Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U Found at http://www.openwall.com/lists/oss-security/2025/01/26/2

Attack Vector (AV)	Attack Complexity (AC)	Attack Requirements (AT)	Privileges Required (PR)	User Interaction (UI)	Vulnerable System Impact Confidentiality (VC)	Vulnerable System Impact Integrity (VI)	Vulnerable System Impact Availability (VA)	Subsequent System Impact Confidentiality (SC)	Subsequent System Impact Integrity (SI)	Subsequent System Impact Availability (SA)
network adjacent local physical	low high	none present	none low high	none passive active	high low none	high low none	high low none	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Attack Requirements (AT)

Privileges Required (PR)

User Interaction (UI)

Vulnerable System Impact Confidentiality (VC)

Vulnerable System Impact Integrity (VI)

Vulnerable System Impact Availability (VA)

Subsequent System Impact Confidentiality (SC)

Subsequent System Impact Integrity (SI)

Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

Exploit Prediction Scoring System (EPSS)

Percentile	0.94429
EPSS Score	0.13709
Published At	June 11, 2026, 12:55 p.m.

Date	Actor	Action	Source	VulnerableCode Version
2026-06-10T18:34:54.981237+00:00	Vulnrichment	Import	https://github.com/cisagov/vulnrichment/blob/develop/2024/52xxx/CVE-2024-52012.json	38.6.0