[jira] [Updated] (SOLR-17809) solrj module has transitive CVE-2024-51504 vulnerability

Tue, 15 Jul 2025 14:57:06 -0700 


     [ 
https://issues.apache.org/jira/browse/SOLR-17809?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Houston Putman updated SOLR-17809:
----------------------------------
    Security: Public  (was: Private (Security Issue))

> solrj module has transitive CVE-2024-51504 vulnerability
> --------------------------------------------------------
>
>                 Key: SOLR-17809
>                 URL: https://issues.apache.org/jira/browse/SOLR-17809
>             Project: Solr
>          Issue Type: Task
>      Security Level: Public(Default Security Level. Issues are Public) 
>          Components: SolrJ
>    Affects Versions: 9.8.1
>            Reporter: Botond Brem
>            Assignee: Houston Putman
>            Priority: Major
>             Fix For: 9.9
>
>
> solrj has transitive CVE-2024-51504 vulnerability from 
> solrj-zookeeper->zookeeper@3.9.2
> *CVE-2024-51504:*
> When using IPAuthenticationProvider in ZooKeeper Admin Server there is a 
> possibility of Authentication Bypass by Spoofing -- this only impacts IP 
> based authentication implemented in ZooKeeper Admin Server. Default 
> configuration of client's IP address detection in IPAuthenticationProvider, 
> which uses HTTP request headers, is weak and allows an attacker to bypass 
> authentication via spoofing client's IP address in request headers. Default 
> configuration honors X-Forwarded-For HTTP header to read client's IP address. 
> X-Forwarded-For request header is mainly used by proxy servers to identify 
> the client and can be easily spoofed by an attacker pretending that the 
> request comes from a different IP address. Admin Server commands, such as 
> snapshot and restore arbitrarily can be executed on successful exploitation 
> which could potentially lead to information leakage or service availability 
> issues. Users are recommended to upgrade to version 3.9.3, which fixes this 
> issue.
>  
> zookeeper module has a new version (3.9.3) where the vulnerability is 
> resolved.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@solr.apache.org
For additional commands, e-mail: issues-h...@solr.apache.org

Reply via email to