CVE-2023-50386
CVE-2023-50386 is a high-severity vulnerability in Apache Solr with a CVSS 3.x base score of 8.8. Its EPSS exploit-prediction score of 84% places it in the 100th percentile, indicating an elevated likelihood of exploitation. The underlying weakness is classified as CWE-434.
Key facts
- Severity: High (CVSS 3.x base score 8.8)
- EPSS exploit prediction: 84% (100th percentile)
- Actively exploited: Not listed in CISA KEV
- EU (EUVD) id: EUVD-2024-0481
- Weakness: CWE-434
- Affected product: Apache Solr
- Published:
- Last modified:
Description
Improper Control of Dynamically-Managed Code Resources, Unrestricted Upload of File with Dangerous Type, Inclusion of Functionality from Untrusted Control Sphere vulnerability in Apache Solr.This issue affects Apache Solr: from 6.0.0 through 8.11.2, from 9.0.0 before 9.4.1. In the affected versions, Solr ConfigSets accepted Java jar and class files to be uploaded through the ConfigSets API. When backing up Solr Collections, these configSet files would be saved to disk when using the LocalFileSystemRepository (the default for backups). If the backup was saved to a directory that Solr uses in its ClassPath/ClassLoaders, then the jar and class files would be available to use with any ConfigSet, trusted or untrusted. When Solr is run in a secure way (Authorization enabled), as is strongly suggested, this vulnerability is limited to extending the Backup permissions with the ability to add libraries. Users are recommended to upgrade to version 8.11.3 or 9.4.1, which fix the issue. In these versions, the following protections have been added: * Users are no longer able to upload files to a configSet that could be executed via a Java ClassLoader. * The Backup API restricts saving backups to directories that are used in the ClassLoader.
Frequently asked questions
- What is CVE-2023-50386?
- Improper Control of Dynamically-Managed Code Resources, Unrestricted Upload of File with Dangerous Type, Inclusion of Functionality from Untrusted Control Sphere vulnerability in Apache Solr.This issue affects Apache Solr: from 6.0.0 through 8.11.2, from 9.0.0 before 9.4.1. In the affected versions, Solr ConfigSets accepted Java jar and class files to be uploaded through the ConfigSets API. When backing up Solr Collections, these configSet files would be saved to disk when using the LocalFileSystemRepository (the default for backups). If the backup was saved to a directory that Solr uses in its ClassPath/ClassLoaders, then the jar and class files would be available to use with any ConfigSet, trusted or untrusted. When Solr is run in a secure way (Authorization enabled), as is strongly suggested, this vulnerability is limited to extending the Backup permissions with the ability to add libraries. Users are recommended to upgrade to version 8.11.3 or 9.4.1, which fix the issue. In these versions, the following protections have been added: * Users are no longer able to upload files to a configSet that could be executed via a Java ClassLoader. * The Backup API restricts saving backups to directories that are used in the ClassLoader.
- How severe is CVE-2023-50386?
- CVE-2023-50386 has a CVSS 3.x base score of 8.8, rated high severity. It is exploitable over network with low attack complexity, requires low privileges and no user interaction. Impact on confidentiality is high, integrity high, and availability high.
- Is CVE-2023-50386 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 84% (100th percentile), an estimate of the probability of exploitation in the next 30 days.
- What products are affected by CVE-2023-50386?
- CVE-2023-50386 affects Apache Solr. See the affected-products list for the exact vulnerable versions.
- How do I fix CVE-2023-50386?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Given its high severity, prioritise patching exposed systems.
- Does CVE-2023-50386 have an EU (EUVD) identifier?
- Yes. CVE-2023-50386 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2024-0481.
- When was CVE-2023-50386 published?
- CVE-2023-50386 was published on 2024-02-09 and last updated on 2026-06-17.
References
- http://www.openwall.com/lists/oss-security/2024/02/09/1
- https://solr.apache.org/security.html#cve-2023-50386-apache-solr-backuprestore-apis-allow-for-deployment-of-executables-in-malicious-configsets
Affected products (1)
- cpe:2.3:a:apache:solr:*:*:*:*:*:*:*:*
More vulnerabilities in Apache Solr
- CVE-2024-45216 — Critical (CVSS 9.8): Improper Authentication vulnerability in Apache Solr. Solr instances using the PKIAuthenticationPlugin, which is…
- CVE-2021-44548 — Critical (CVSS 9.8): An Improper Input Validation vulnerability in DataImportHandler of Apache Solr allows an attacker to provide a Windows…
- CVE-2021-27905 — Critical (CVSS 9.8): The ReplicationHandler (normally registered at "/replication" under a Solr core) in Apache Solr has a "masterUrl" (also…
- CVE-2020-13957 — Critical (CVSS 9.8): Apache Solr versions 6.6.0 to 6.6.6, 7.0.0 to 7.7.3 and 8.0.0 to 8.6.2 prevents some features considered dangerous…
- CVE-2019-12409 — Critical (CVSS 9.8): The 8.1.1 and 8.2.0 releases of Apache Solr contain an insecure setting for the ENABLE_REMOTE_JMX_OPTS configuration…
- CVE-2019-0192 — Critical (CVSS 9.8): In Apache Solr versions 5.0.0 to 5.5.5 and 6.0.0 to 6.6.5, the Config API allows to configure the JMX server via an…
All CVEs affecting Apache Solr →
Other CWE-434 (Unrestricted Upload of File with Dangerous Type) vulnerabilities
- CVE-2026-48283 — Critical (CVSS 10.0): ColdFusion versions 2025.9, 2023.20 and earlier are affected by an Unrestricted Upload of File with Dangerous Type…
- CVE-2026-48276 — Critical (CVSS 10.0): ColdFusion versions 2025.9, 2023.20 and earlier are affected by an Unrestricted Upload of File with Dangerous Type…
- CVE-2026-57700 — Critical (CVSS 10.0): Unrestricted Upload of File with Dangerous Type vulnerability in Daan.Dev OMGF Pro allows Using Malicious Files. This…
- CVE-2025-69129 — Critical (CVSS 10.0): Unauthenticated Arbitrary File Upload in WordPress & WooCommerce Scraper Plugin, Import Data from Any Site <= 1.0.7…
- CVE-2026-40772 — Critical (CVSS 10.0): Unauthenticated Arbitrary File Upload in GeekyBot <= 1.2.2 versions.
- CVE-2026-40412 — Critical (CVSS 10.0): Unrestricted upload of file with dangerous type in Azure Orbital Spatio allows an unauthorized attacker to execute code…
Browse all CWE-434 (Unrestricted Upload of File with Dangerous Type) vulnerabilities →