[jira] [Commented] (SOLR-17809) solrj module has transitive CVE-2024-51504 vulnerability

Mon, 21 Jul 2025 09:49:27 -0700 


    [ 
https://issues.apache.org/jira/browse/SOLR-17809?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18008762#comment-18008762
 ] 

Houston Putman commented on SOLR-17809:
---------------------------------------

I think that is fair. The configuration is very very unlikely, so using 
"not_affected" with a reason of "requires_configuration" makes sense to me.

> solrj module has transitive CVE-2024-51504 vulnerability
> --------------------------------------------------------
>
>                 Key: SOLR-17809
>                 URL: https://issues.apache.org/jira/browse/SOLR-17809
>             Project: Solr
>          Issue Type: Task
>      Security Level: Public(Default Security Level. Issues are Public) 
>          Components: SolrJ
>    Affects Versions: 9.8.1
>            Reporter: Botond Brem
>            Assignee: Houston Putman
>            Priority: Major
>              Labels: pull-request-available
>             Fix For: 9.9
>
>          Time Spent: 10m
>  Remaining Estimate: 0h
>
> solrj has transitive CVE-2024-51504 vulnerability from 
> solrj-zookeeper->[email protected]
> *CVE-2024-51504:*
> When using IPAuthenticationProvider in ZooKeeper Admin Server there is a 
> possibility of Authentication Bypass by Spoofing -- this only impacts IP 
> based authentication implemented in ZooKeeper Admin Server. Default 
> configuration of client's IP address detection in IPAuthenticationProvider, 
> which uses HTTP request headers, is weak and allows an attacker to bypass 
> authentication via spoofing client's IP address in request headers. Default 
> configuration honors X-Forwarded-For HTTP header to read client's IP address. 
> X-Forwarded-For request header is mainly used by proxy servers to identify 
> the client and can be easily spoofed by an attacker pretending that the 
> request comes from a different IP address. Admin Server commands, such as 
> snapshot and restore arbitrarily can be executed on successful exploitation 
> which could potentially lead to information leakage or service availability 
> issues. Users are recommended to upgrade to version 3.9.3, which fixes this 
> issue.
>  
> zookeeper module has a new version (3.9.3) where the vulnerability is 
> resolved.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to