Detections
Analytics
Apache Solr 5.3.0 < 8.11.4 / 9.x < 9.7.0 Authentication Bypass
critical Web App Scanning Plugin ID 114496
Language:
Synopsis
Apache Solr 5.3.0 < 8.11.4 / 9.x < 9.7.0 Authentication BypassDescription
Apache Solr versions 5.3.0 prior to 8.11.4 or 9.x prior to 9.7.0 using the PKIAuthenticationPlugin, which is activated by default when Solr authentication is used, enables an attacker to bypass authentication via a specially forged request.Solution
Upgrade to Apache Solr version 8.11.4 or 9.7.0 or laterSee Also
Plugin Details
Severity: Critical
ID: 114496
Type: remote
Family: Component Vulnerability
Published: 11/5/2024
Updated: 11/5/2024
Scan Template: basic, full, pci, scan
Risk Information
VPR
Risk Factor: High
Score: 8.4
CVSS v2
Risk Factor: Medium
Base Score: 6.4
Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:N
CVSS Score Source: CVE-2024-45216
CVSS v3
Risk Factor: Critical
Base Score: 9.8
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVSS Score Source: CVE-2024-45216
Vulnerability Information
CPE: cpe:2.3:a:apache:solr:*:*:*:*:*:*:*:*
Exploit Available: true
Exploit Ease: Exploits are available
Patch Publication Date: 8/21/2024
Vulnerability Publication Date: 8/21/2024
Reference Information
CVE: CVE-2024-45216
OWASP: 2010-A3, 2010-A8, 2013-A2, 2013-A7, 2013-A9, 2017-A2, 2017-A5, 2017-A9, 2021-A1, 2021-A6, 2021-A7
WASC: Insufficient Authentication, Insufficient Authorization
CAPEC: 114, 115, 151, 194, 22, 57, 593, 633, 650, 94
DISA STIG: APSC-DV-000460, APSC-DV-002630
HIPAA: 164.306(a)(1), 164.306(a)(2), 164.312(a)(1), 164.312(a)(2)(i)
ISO: 27001-A.13.1.1, 27001-A.14.1.2, 27001-A.14.1.3, 27001-A.14.2.5, 27001-A.18.1.3, 27001-A.6.2.2, 27001-A.9.1.2, 27001-A.9.4.1, 27001-A.9.4.4, 27001-A.9.4.5
NIST: sp800_53-AC-3, sp800_53-CM-6b
OWASP API: 2019-API7, 2023-API8
OWASP ASVS: 4.0.2-14.2.1
PCI-DSS: 3.2-6.2, 3.2-6.5.10, 3.2-6.5.8