{"id":"CVE-2023-50291","details":"Insufficiently Protected Credentials vulnerability in Apache Solr.\n\nThis issue affects Apache Solr: from 6.0.0 through 8.11.2, from 9.0.0 before 9.3.0.\nOne of the two endpoints that publishes the Solr process' Java system properties, /admin/info/properties, was only setup to hide system properties that had \"password\" contained in the name.\nThere are a number of sensitive system properties, such as \"basicauth\" and \"aws.secretKey\" do not contain \"password\", thus their values were published via the \"/admin/info/properties\" endpoint.\nThis endpoint populates the list of System Properties on the home screen of the Solr Admin page, making the exposed credentials visible in the UI.\n\nThis /admin/info/properties endpoint is protected under the \"config-read\" permission.\nTherefore, Solr Clouds with Authorization enabled will only be vulnerable through logged-in users that have the \"config-read\" permission.\nUsers are recommended to upgrade to version 9.3.0 or 8.11.3, which fixes the issue.\nA single option now controls hiding Java system property for all endpoints, \"-Dsolr.hiddenSysProps\".\nBy default all known sensitive properties are hidden (including \"-Dbasicauth\"), as well as any property with a name containing \"secret\" or \"password\".\n\nUsers who cannot upgrade can also use the following Java system property to fix the issue:\n  '-Dsolr.redaction.system.pattern=.*(password|secret|basicauth).*'","aliases":["BIT-solr-2023-50291","GHSA-3hwc-rqwp-v36q"],"modified":"2026-04-12T06:45:01.463193Z","published":"2024-02-09T18:15:08.240Z","references":[{"type":"ADVISORY","url":"https://solr.apache.org/security.html#cve-2023-50291-apache-solr-can-leak-certain-passwords-due-to-system-property-redaction-logic-inconsistencies"},{"type":"ARTICLE","url":"http://www.openwall.com/lists/oss-security/2024/02/09/4"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/apache/lucene-solr","events":[{"introduced":"48c80f91b8e5cd9b3a9b48e6184bd53e7619e7e3"},{"fixed":"baa7c80af4278cc8951a344d8e9320386588d12d"}],"database_specific":{"versions":[{"introduced":"6.0.0"},{"fixed":"8.11.3"}]}},{"type":"GIT","repo":"https://github.com/apache/solr","events":[{"introduced":"a4eb7aa123dc53f8dac74d80b66a490f2d6b4a26"},{"fixed":"de33f50ce79ec1d156faf204553012037e2bc1cb"}],"database_specific":{"versions":[{"introduced":"9.0.0"},{"fixed":"9.3.0"}]}}],"database_specific":{"vanir_signatures_modified":"2026-04-12T06:45:01Z","vanir_signatures":[{"deprecated":false,"target":{"file":"solr/solrj/src/java/org/apache/solr/common/util/MapWriterJSONWriter.java"},"signature_type":"Line","id":"CVE-2023-50291-05108f19","signature_version":"v1","source":"https://github.com/apache/solr/commit/de33f50ce79ec1d156faf204553012037e2bc1cb","digest":{"threshold":0.9,"line_hashes":["145950878721813815119840429926286895333","279219443369924851341529570268620277781","47404165902947642640036542661205214204","169101858295024282667194026999093917283","173591880144675816536507357265442280366","169665363638312240546336440421124439087","286886363535559869075341286480458122574","145157735819292160271632747351723549169","189921469243910505070427241441146974216","257464447953265741387443493046991254343","42875174629713334866419150549692408956","146151613370571921459097351507391154937","304645102717691638051616163523675045429","218426042592743008860158813010110587814","287104710201497103725759348240800383255","85964195859195396182656033608411153967","261111085148972644972311641062643573270","166000574947818472161352855963296226803","5675811028826408893780936274016108475","18669441492927993032197121788502701408","65227023363660792265070704212402830861","301701420313075603708144336162741941466","107946548863198385996677075008776826449","261196531354595849861411138547980864830","47130351468436075670721617892598044374","251209949012670997136324439789549355985","59120202595107203679396152179419311773","19085264142944754953925556870036293242","61746676161880167955662903418600930476","40578649312447310803839150578865496454","235595443859870725961053886268390892382","65888087281617365007669214778786591629","152852800841082517120453355965105345730","103732554600758346897195231985863227101","263698458938915614266199574746147561268","315374383112832590656899271197045003800","198002117815639835476457185782524760488","200595216416251663248214657013501214296","111187565419546432400861365594889313646","124500093291302778885799139597059202445","191741179788439909732238965020260920063","27514752572686809852831765023268561844","174858340643681314123800594709940223144","149196043642245949813388559474039009315","221760681685855310090103179404101241058","45746187450830731636952903872593581266","125870587684668564431109697884277567871","52645265738959854958573471376383975220","45774825275541342959519771207747713449","232575873871258198121205119872118518944","272110401899160900777266161743135164852","256350144201840980081361660034405278257","40578649312447310803839150578865496454","235595443859870725961053886268390892382","65888087281617365007669214778786591629","268012433496557371529410863590127915733","34320864807262228094454205443279556516","301578319312260499860990287018756159221","55737886227489091385311887902443188288","242961669962817791402475704122521044456","89600731880566887635253303624131628758","198002117815639835476457185782524760488","85706286974167143324715953996668504100","87540728649015908277553882957000296313","145145773843481399916224894341755603006","310002017910971024815399972940293326835","48188608043698371306562096289964512048"]}},{"deprecated":false,"target":{"function":"writeMap","file":"solr/solrj/src/java/org/apache/solr/common/cloud/Replica.java"},"signature_type":"Function","id":"CVE-2023-50291-063d6d17","signature_version":"v1","source":"https://github.com/apache/solr/commit/de33f50ce79ec1d156faf204553012037e2bc1cb","digest":{"length":89,"function_hash":"51834489256182559139026994675408971526"}},{"deprecated":false,"target":{"file":"solr/solrj/src/java/org/apache/solr/common/cloud/ZkNodeProps.java"},"signature_type":"Line","id":"CVE-2023-50291-1441eb14","signature_version":"v1","source":"https://github.com/apache/solr/commit/de33f50ce79ec1d156faf204553012037e2bc1cb","digest":{"threshold":0.9,"line_hashes":["296356716659756408587438746448839949992","170193607063287726432903373333732579001","251541206984329892495980828099736036176","185691147976158809519387467370298118413","331958625323874585739983991507232826565","93333971628170644825299419357138109233","300687831096331698869190978706977451792","88412802733465294357219668599665497393","204922079048774335261705863612232939559","3955645406301531120993654833830335201","41978764357975124543788134432116781072","71002434480513520168903507200377003550"]}},{"deprecated":false,"target":{"file":"solr/solrj/src/java/org/apache/solr/common/cloud/Replica.java"},"signature_type":"Line","id":"CVE-2023-50291-24187efc","signature_version":"v1","source":"https://github.com/apache/solr/commit/de33f50ce79ec1d156faf204553012037e2bc1cb","digest":{"threshold":0.9,"line_hashes":["175721561552620765266002452378564401387","177376878110520926738581554357072649374","257082939152999616752739585746759337344","145846973058176040320137230604006032802","312020293698963934760293766225369745199","201593897011690018515899218734077231754","13221519057870394673256089430964958351","45705142788833962358132153070992461474","314667290422789414978593865389967333945","212422502718270308499084405961802347553","255117673092118807689134995451824195287","59095542691152607282052653588886187637","127745243487129082417804945327552310069","137051831916286752327226278465087317814","251852722681427219456374373838039809755","95989846609376370455648453768585357304","27880280180083266136024422048724346813","223333418726175719200086644918844430880","35598005821818252036306983506715167941","16360914789584744841344074694488884784","250986203901596412694742530466532777811","229122004655344639743352226469936792546","334198020692871001923908336889957282840","52303942102817703663840450586254426592","196448962099159203097782697333567260893","4751322588498886121538934577539447588","310234271070646042903609146192639721103","112542688482582407366777557322775717439","160892988433819508455166084866740107525","249132880193225619799438210765682559426","103135351710302510204084521651766089582","279168497321846606209892070343761612247","174999862395881724602815084008548640243","276090860831880749733369232962947874793"]}},{"deprecated":false,"target":{"function":"writeMapWriter","file":"solr/solrj/src/java/org/apache/solr/common/util/MapWriterJSONWriter.java"},"signature_type":"Function","id":"CVE-2023-50291-29a9a9f8","signature_version":"v1","source":"https://github.com/apache/solr/commit/de33f50ce79ec1d156faf204553012037e2bc1cb","digest":{"length":448,"function_hash":"36429138875010129727494935955935798241"}},{"deprecated":false,"target":{"file":"solr/solrj/src/java/org/apache/solr/common/util/Utils.java"},"signature_type":"Line","id":"CVE-2023-50291-3209f1a6","signature_version":"v1","source":"https://github.com/apache/solr/commit/de33f50ce79ec1d156faf204553012037e2bc1cb","digest":{"threshold":0.9,"line_hashes":["339586436248805713974656449230581392562","260010008032471614199972334847950248876","189313110821310504729385609732724626043","213948434768259208776724525625248205131","162707342704516855862183428323135853148","251506959300448792085380938028947300163","284048031456519883905632973464592796816","317392649686243337995600595244889844046"]}},{"deprecated":false,"target":{"function":"writeIter","file":"solr/solrj/src/java/org/apache/solr/common/util/MapWriterJSONWriter.java"},"signature_type":"Function","id":"CVE-2023-50291-36ea8c38","signature_version":"v1","source":"https://github.com/apache/solr/commit/de33f50ce79ec1d156faf204553012037e2bc1cb","digest":{"length":398,"function_hash":"313277085880449515107072920886107337482"}},{"deprecated":false,"target":{"function":"_allPropsWriter","file":"solr/solrj/src/java/org/apache/solr/common/cloud/Replica.java"},"signature_type":"Function","id":"CVE-2023-50291-58a9bde0","signature_version":"v1","source":"https://github.com/apache/solr/commit/de33f50ce79ec1d156faf204553012037e2bc1cb","digest":{"length":753,"function_hash":"57793228189813093723188402897794905376"}},{"deprecated":false,"target":{"function":"write","file":"solr/solrj/src/java/org/apache/solr/common/cloud/DocCollection.java"},"signature_type":"Function","id":"CVE-2023-50291-5a606228","signature_version":"v1","source":"https://github.com/apache/solr/commit/de33f50ce79ec1d156faf204553012037e2bc1cb","digest":{"length":220,"function_hash":"76952350232616870463142494469231016772"}},{"deprecated":false,"target":{"function":"printPaginatedCollections","file":"solr/core/src/java/org/apache/solr/handler/admin/ZookeeperInfoHandler.java"},"signature_type":"Function","id":"CVE-2023-50291-68fe3cb8","signature_version":"v1","source":"https://github.com/apache/solr/commit/de33f50ce79ec1d156faf204553012037e2bc1cb","digest":{"length":1695,"function_hash":"261311684760066462503027567921683391183"}},{"deprecated":false,"target":{"file":"solr/solrj/src/java/org/apache/solr/common/MapWriter.java"},"signature_type":"Line","id":"CVE-2023-50291-6d704ed3","signature_version":"v1","source":"https://github.com/apache/solr/commit/de33f50ce79ec1d156faf204553012037e2bc1cb","digest":{"threshold":0.9,"line_hashes":["333869824161913905132136120513996781788","27557052237007889563002521263027654037","269717394386932925003221068112613434079","333423174175431331267325677628566868211","119836189645930259509123474856367546915","168461230353978535477214451324966596222","5176701371843093066114448782882106188","257217487074826014395626453767824684160"]}},{"deprecated":false,"target":{"file":"solr/solrj/src/test/org/apache/solr/client/solrj/io/stream/CloudAuthStreamTest.java"},"signature_type":"Line","id":"CVE-2023-50291-70760f3e","signature_version":"v1","source":"https://github.com/apache/lucene-solr/commit/baa7c80af4278cc8951a344d8e9320386588d12d","digest":{"threshold":0.9,"line_hashes":["42633374478483664584880606362384652104","168827807237220973968104160975096691353","276118249451591731237346006262099432209","53336396271342735074797460221492143953","16563996948560988627519018789737194488","297170480961547984231109709004203818968","142240092632428837105334404102223631941"]}},{"deprecated":false,"target":{"file":"solr/solrj/src/java/org/apache/solr/common/cloud/DocCollection.java"},"signature_type":"Line","id":"CVE-2023-50291-72b0ac69","signature_version":"v1","source":"https://github.com/apache/solr/commit/de33f50ce79ec1d156faf204553012037e2bc1cb","digest":{"threshold":0.9,"line_hashes":["190019462118997954606971094309741130603","237179083812634130889319726042486049213","155457605224086066920018317887408226258","84502295110267684593370215017175123580","10873144628089594767597546022836220349","40812839483540060489178076651040423511","197588040595289848873249040457061994998","305767223277710999442536515673581540461","99737993822650183332317292562959360408","97080823520941960879467737093718315609","11589244325593838467040576493783667438","278742141852305497517003284697757736057","232923696808870097601711356546701431125","253709689068800446311650294959945620069","201113569455978970827154390810000608934","307764527043584055514744765901841954767","303411987224565658768082512102040562584","286256749293382044431914080469490651075","307725217704417011634059268341388118456","321900032113047182787330439872874651260","104733098361206955947259833142799033645","333641452350096157175874134801542434313","164380715798187381656742806626638550817","148590535484900260733017485979785493987","157799203306887372564645381967539416704","149216488193570091754023779871982520640"]}},{"deprecated":false,"target":{"function":"add","file":"solr/solrj/src/java/org/apache/solr/common/util/MapWriterJSONWriter.java"},"signature_type":"Function","id":"CVE-2023-50291-769da38a","signature_version":"v1","source":"https://github.com/apache/solr/commit/de33f50ce79ec1d156faf204553012037e2bc1cb","digest":{"length":141,"function_hash":"1153734255709628475964548225516073226"}},{"deprecated":false,"target":{"function":"write","file":"solr/solrj/src/java/org/apache/solr/common/cloud/ZkNodeProps.java"},"signature_type":"Function","id":"CVE-2023-50291-8e22bfcc","signature_version":"v1","source":"https://github.com/apache/solr/commit/de33f50ce79ec1d156faf204553012037e2bc1cb","digest":{"length":65,"function_hash":"310595813972060268414412060528248277974"}},{"deprecated":false,"target":{"file":"solr/solrj/src/java/org/apache/solr/common/IteratorWriter.java"},"signature_type":"Line","id":"CVE-2023-50291-904942fb","signature_version":"v1","source":"https://github.com/apache/solr/commit/de33f50ce79ec1d156faf204553012037e2bc1cb","digest":{"threshold":0.9,"line_hashes":["121474119486999260429451602491478271799","56681228469942769238273725307779681141","176425095532158591857377856026326612055","149878954307639238487344660577702640576","301299540843823857268373120336962663122","152949325224857511622330719748147109228","238753720776777812264930323943587469857"]}},{"deprecated":false,"target":{"function":"setupCluster","file":"solr/solrj/src/test/org/apache/solr/client/solrj/io/stream/CloudAuthStreamTest.java"},"signature_type":"Function","id":"CVE-2023-50291-a29c494a","signature_version":"v1","source":"https://github.com/apache/lucene-solr/commit/baa7c80af4278cc8951a344d8e9320386588d12d","digest":{"length":1855,"function_hash":"202724212775382592747818997678711793015"}},{"deprecated":false,"target":{"function":"put","file":"solr/solrj/src/java/org/apache/solr/common/util/MapWriterJSONWriter.java"},"signature_type":"Function","id":"CVE-2023-50291-bd634cef","signature_version":"v1","source":"https://github.com/apache/solr/commit/de33f50ce79ec1d156faf204553012037e2bc1cb","digest":{"length":206,"function_hash":"313383081138310312013243324617773977853"}},{"deprecated":false,"target":{"function":"write","file":"solr/solrj/src/java/org/apache/solr/common/cloud/Replica.java"},"signature_type":"Function","id":"CVE-2023-50291-c5caf040","signature_version":"v1","source":"https://github.com/apache/solr/commit/de33f50ce79ec1d156faf204553012037e2bc1cb","digest":{"length":70,"function_hash":"43458734781354344213814963077659924379"}},{"deprecated":false,"target":{"file":"solr/core/src/java/org/apache/solr/handler/admin/ZookeeperInfoHandler.java"},"signature_type":"Line","id":"CVE-2023-50291-ca902609","signature_version":"v1","source":"https://github.com/apache/solr/commit/de33f50ce79ec1d156faf204553012037e2bc1cb","digest":{"threshold":0.9,"line_hashes":["163591758916239064387309347312561782608","66711353799526256621918024177846326620","138471542148721998082336858537075924777","188102494582060593622722026754021052874","328300450744435674427303806605054338610","126769086198631888730044546654791673343","151361157194820677335377167858870518441","239419879492300518772828387741731349953","294762318997110415082304962787126072544","222763854477344878512172018535040864703","336594435296219960817060764138327698898","109773159247230794655646935286675005496","174291669851797223785615299367475306166","35476055967936911796790636160844476077","68256140441681164375731970157037700240","15252978446110939543509169653813459426"]}},{"deprecated":false,"target":{"function":"write","file":"solr/solrj/src/java/org/apache/solr/common/cloud/ClusterState.java"},"signature_type":"Function","id":"CVE-2023-50291-d9e1b42f","signature_version":"v1","source":"https://github.com/apache/solr/commit/de33f50ce79ec1d156faf204553012037e2bc1cb","digest":{"length":307,"function_hash":"283237173460267475419381332966002456869"}},{"deprecated":false,"target":{"function":"DocCollection","file":"solr/solrj/src/java/org/apache/solr/common/cloud/DocCollection.java"},"signature_type":"Function","id":"CVE-2023-50291-e6cc0070","signature_version":"v1","source":"https://github.com/apache/solr/commit/de33f50ce79ec1d156faf204553012037e2bc1cb","digest":{"length":2052,"function_hash":"98367716799213837125373293721878080880"}},{"deprecated":false,"target":{"file":"solr/solrj/src/java/org/apache/solr/common/cloud/ClusterState.java"},"signature_type":"Line","id":"CVE-2023-50291-ee1aeec7","signature_version":"v1","source":"https://github.com/apache/solr/commit/de33f50ce79ec1d156faf204553012037e2bc1cb","digest":{"threshold":0.9,"line_hashes":["220445254442273177578961012927142995235","261278398656837107921566486624540306606","163895232720673270767601403558136911684","201244068197430790630323320718797311746","283697548080466129589397098732253731198","23117421263158157213821919508593032842","271014615929966631343767996810369002153","60184535495195858427701941578955412799","225451489452430882517015020750804147436","256522995405273031322138798857859151521","150675742377418311191911943187552338960","141462777316107979007755754444451028787","251525203786272257305757740582014290016","186524137900396273428675289000252032958","339860898689684136387555917161937922043","309932765183688289410390490735845687014","129023720701615886599947083557159555483","151396563710676750962194957887648030231","255902487807852511342607099027867026503","309784412634233191336811285693567313145","213722267436574433833362233418080159278","45240387060984228403432533100117464347"]}},{"deprecated":false,"target":{"file":"solr/solrj/src/java/org/apache/solr/common/cloud/Slice.java"},"signature_type":"Line","id":"CVE-2023-50291-f132bc09","signature_version":"v1","source":"https://github.com/apache/solr/commit/de33f50ce79ec1d156faf204553012037e2bc1cb","digest":{"threshold":0.9,"line_hashes":["32277622791352742808233526661323534030","90438860646719168780772162001756985753","232923696808870097601711356546701431125","205579275105017649642897873446782948355","171446075680935296243093305356594241864","115006342058549080846606701845905267237","88412802733465294357219668599665497393","204922079048774335261705863612232939559","83812003949464308468521745737027055504","102570821949866731521362472442292591932","288458268270403830014500231199354781349"]}},{"deprecated":false,"target":{"function":"write","file":"solr/solrj/src/java/org/apache/solr/common/cloud/Slice.java"},"signature_type":"Function","id":"CVE-2023-50291-f8bb3f95","signature_version":"v1","source":"https://github.com/apache/solr/commit/de33f50ce79ec1d156faf204553012037e2bc1cb","digest":{"length":65,"function_hash":"310595813972060268414412060528248277974"}},{"deprecated":false,"target":{"function":"handleUnknownClass","file":"solr/solrj/src/java/org/apache/solr/common/util/MapWriterJSONWriter.java"},"signature_type":"Function","id":"CVE-2023-50291-f91c7bf6","signature_version":"v1","source":"https://github.com/apache/solr/commit/de33f50ce79ec1d156faf204553012037e2bc1cb","digest":{"length":225,"function_hash":"107469448363606212838747215837886474128"}}],"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-50291.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"}]}