SCA: security update for org.apache.solr:solr-core (GHSA-68r2-fwcg-qpm8)

critical Tenable Cloud Security Plugin ID 420774

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- Core creation allows users to replace "trusted" configset files with arbitrary configuration Solr
instances that (1) use the "FileSystemConfigSetService" component (the default in "standalone" or "user-
managed" mode), and (2) are running without authentication and authorization are vulnerable to a sort of
privilege escalation wherein individual "trusted" configset files can be ignored in favor of potentially-
untrusted replacements available elsewhere on the filesystem. These replacement config files are treated
as "trusted" and can use "<lib>" tags to add to Solr's classpath, which an attacker might use to load
malicious code as a searchComponent or other plugin. This issue affects all Apache Solr versions up
through Solr 9.7. Users can protect against the vulnerability by enabling authentication and authorization
on their Solr clusters or switching to SolrCloud (and away from "FileSystemConfigSetService"). Users are
also recommended to upgrade to Solr 9.8.0, which mitigates this issue by disabling use of "<lib>" tags by
default. (CVE-2025-24814)

See Also

https://github.com/advisories/GHSA-68r2-fwcg-qpm8

Plugin Details

Severity: Critical

ID: 420774

Version: Revision 1.16

Type: Local

Family: SCA Checks

Published: 1/27/2025

Updated: 6/1/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 2.8

Percentile: 22.6

Vendor

Vendor Severity: High

CVSS v2

Risk Factor: Medium

Base Score: 6.5

Temporal Score: 4.8

Vector: CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:P

CVSS Score Source: CVE-2025-24814

CVSS v3

Risk Factor: Medium

Base Score: 5.5

Temporal Score: 4.8

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

CVSS v4

Risk Factor: Critical

Base Score: 9.2

Threat Score: 7.2

Threat Vector: CVSS:4.0/E:U

Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 1/27/2025

Vulnerability Publication Date: 1/27/2025

Reference Information

CVE: CVE-2025-24814

cwe: CWE-250