Login Sign Up

CVE-2024-52012

5.4 MEDIUM
Path Traversal

📋 TL;DR

This CVE describes a relative path traversal vulnerability (zipslip) in Apache Solr's configset upload API on Windows systems. Attackers can upload malicious ZIP files containing relative paths to write arbitrary files anywhere on the filesystem. All Apache Solr versions from 6.6 through 9.7.0 running on Windows are affected.

💻 Affected Systems

Products:
  • Apache Solr
Versions: 6.6 through 9.7.0
Operating Systems: Windows
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects Windows systems due to path handling differences. Linux/Unix systems are not vulnerable.

📦 What is this software?

Solr by Apache

View all CVEs affecting Solr →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise via arbitrary file writes leading to remote code execution, data exfiltration, or system destruction.

🟠

Likely Case

Unauthorized file writes to sensitive locations, potentially enabling privilege escalation or persistence mechanisms.

🟢

If Mitigated

Limited impact with proper access controls, potentially only file writes to non-critical directories.

🌐 Internet-Facing: HIGH - Internet-facing Solr instances with configset upload API accessible are directly exploitable.
🏢 Internal Only: MEDIUM - Internal instances still pose risk if attackers gain network access or through insider threats.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires access to the configset upload API endpoint. ZIP file manipulation is well-understood and tooling exists.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 9.8.0

Vendor Advisory: https://lists.apache.org/thread/yp39pgbv4vf1746pf5yblz84lv30vfxd

Restart Required: Yes

Instructions:

1. Download Apache Solr 9.8.0 or later from official sources. 2. Stop the Solr service. 3. Backup configuration and data. 4. Install/upgrade to 9.8.0. 5. Restart Solr service.

🔧 Temporary Workarounds

Restrict Configset Upload API Access

all

Use Solr's Rule-Based Authentication Plugin to limit configset upload API to trusted administrators only.

Configure security.json with appropriate authentication rules for /admin/configs endpoint

🧯 If You Can't Patch

  • Disable configset upload functionality entirely if not required
  • Implement network segmentation and firewall rules to restrict access to Solr admin interfaces

🔍 How to Verify

Check if Vulnerable:

Check Solr version and OS: version must be between 6.6-9.7.0 inclusive AND running on Windows.

Check Version:

solr version (from command line) or check Solr admin UI

Verify Fix Applied:

Confirm Solr version is 9.8.0 or later, or verify configset upload API is properly restricted.

📡 Detection & Monitoring

Log Indicators:

  • Unusual configset upload activity
  • File write attempts to unexpected paths
  • ZIP file processing errors

Network Indicators:

  • POST requests to /solr/admin/configs endpoint with ZIP files
  • Unusual admin interface access patterns

SIEM Query:

source="solr.log" AND ("admin/configs" OR "configset upload") AND method=POST

📊 Metadata

CVE ID: CVE-2024-52012
CVSS v3 Score: 5.4 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
CWE: CWE-23
EPSS Score: 2.98% exploit probability (86.2th percentile)
Published: January 27, 2025
Last Updated: June 27, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-52012, you might also want to check these:

CVE-2024-24578 10.0

CVE-2024-24578 is an unauthenticated remote code execution vulnerability in RaspberryMatic/OCCU IoT ...

Same vulnerability type (CWE-23)
CVE-2023-3701 9.9

Aqua Drive version 2.4 has a relative path traversal vulnerability that allows authenticated users t...

Same vulnerability type (CWE-23)
CVE-2024-3025 9.9

This path traversal vulnerability in mintplex-labs/anything-llm allows attackers to read or delete f...

Same vulnerability type (CWE-23)