CVE-2023-50291 – Apache Solr leaks sensitive system properties l... (How to Fix)

Q: What is the severity of CVE-2023-50291?

CVE-2023-50291 has a CVSS score of 7.5 (HIGH). Apache Solr leaks sensitive system properties like 'basicauth' and 'aws.secretKey' through the /admin/info/properties endpoint because the redaction logic only hid properties containing 'password'. This allows authenticated users with 'config-read' permission to view credentials in the Solr Admin UI. Affects Solr versions 6.0.0-8.11.2 and 9.0.0-9.2.x.

📋 TL;DR

Apache Solr leaks sensitive system properties like 'basicauth' and 'aws.secretKey' through the /admin/info/properties endpoint because the redaction logic only hid properties containing 'password'. This allows authenticated users with 'config-read' permission to view credentials in the Solr Admin UI. Affects Solr versions 6.0.0-8.11.2 and 9.0.0-9.2.x.

💻 Affected Systems

Products:

Apache Solr

Versions: 6.0.0 through 8.11.2, 9.0.0 before 9.3.0

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Only vulnerable if Solr Authorization is enabled and users have 'config-read' permission; otherwise the endpoint is not accessible.

📦 What is this software?

Solr by Apache

View all CVEs affecting Solr →

Solr by Apache

View all CVEs affecting Solr →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers with config-read access can steal credentials for external systems (AWS, authentication backends), leading to data breaches, privilege escalation, or lateral movement.

🟠

Likely Case

Authorized but malicious insiders or compromised accounts with config-read permission can harvest credentials from the Solr Admin UI.

🟢

If Mitigated

With proper authorization controls limiting config-read access, only trusted administrators can view the properties, reducing exposure.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authenticated access with config-read permission; trivial to access the exposed endpoint via UI or API.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 8.11.3 or 9.3.0

Vendor Advisory: https://solr.apache.org/security.html#cve-2023-50291-apache-solr-can-leak-certain-passwords-due-to-system-property-redaction-logic-inconsistencies

Restart Required: Yes

Instructions:

1. Download and install Apache Solr 8.11.3 or 9.3.0 from the official website. 2. Replace the existing Solr installation with the patched version. 3. Restart all Solr nodes to apply the fix.

🔧 Temporary Workarounds

Apply Java system property redaction pattern

all

Sets a custom pattern to hide sensitive system properties containing password, secret, or basicauth.

-Dsolr.redaction.system.pattern=.*(password|secret|basicauth).*

🧯 If You Can't Patch

Restrict 'config-read' permission to only essential administrators.
Monitor access to the /admin/info/properties endpoint for unauthorized usage.

🔍 How to Verify

Check if Vulnerable:

Check if Solr version is between 6.0.0-8.11.2 or 9.0.0-9.2.x and if the /admin/info/properties endpoint exposes properties like 'basicauth' or 'aws.secretKey'.

Check Version:

curl http://localhost:8983/solr/admin/info/system | grep -o '"solr-spec-version":"[^"]*"'

Verify Fix Applied:

After patching, verify that sensitive properties are no longer visible in the Solr Admin UI at /admin/info/properties.

📡 Detection & Monitoring

Log Indicators:

Unusual access patterns to /admin/info/properties endpoint in Solr logs.

Network Indicators:

HTTP GET requests to /solr/admin/info/properties from unauthorized IPs.

SIEM Query:

source="solr.log" AND (uri_path="/admin/info/properties" OR message="*properties*")

📊 Metadata

CVE ID: CVE-2023-50291

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE: CWE-522

Published: February 9, 2024

Last Updated: May 15, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-50291, you might also want to check these: