Detections
Analytics
Apache Solr 6.6.x < 9.8.0 Relative Path Traversal
medium Nessus Plugin ID 266069
Language:
Synopsis
The remote wen server contains a Java application that is affect by a relative path traversal vlunerability.Description
Relative Path Traversal vulnerability in Apache Solr. Solr instances running on Windows are vulnerable to arbitrary filepath write-access, due to a lack of input-sanitation in the 'configset upload' API. Commonly known as a 'zipslip', maliciously constructed ZIP files can use relative filepaths to write data to unanticipated parts of the filesystem.This issue affects Apache Solr: from 6.6 through 9.7.0. Users are recommended to upgrade to version 9.8.0, which fixes the issue. Users unable to upgrade may also safely prevent the issue by using Solr's 'Rule-Based Authentication Plugin' to restrict access to the configset upload API, so that it can only be accessed by a trusted set of administrators/users.
Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.
Solution
Upgrade to Apache Solr version 9.8.0 or later.See Also
https://lists.apache.org/thread/yp39pgbv4vf1746pf5yblz84lv30vfxd
Plugin Details
Severity: Medium
ID: 266069
File Name: apache_solr_cve-2024-52012.nasl
Version: 1.1
Type: remote
Family: CGI abuses
Published: 9/29/2025
Updated: 9/29/2025
Supported Sensors: Nessus
Risk Information
VPR
Risk Factor: Low
Score: 3.3
CVSS v2
Risk Factor: Medium
Base Score: 5.5
Vector: CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:N
CVSS Score Source: CVE-2024-52012
CVSS v3
Risk Factor: Medium
Base Score: 5.4
Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
Vulnerability Information
CPE: cpe:/a:apache:solr
Required KB Items: installed_sw/Apache Solr
Patch Publication Date: 1/26/2025
Vulnerability Publication Date: 1/26/2025
Reference Information
CVE: CVE-2024-52012