CVE-2023-50290 Overview
CVE-2023-50290 is an information disclosure vulnerability in Apache Solr that allows exposure of sensitive host environment variables through the Solr Metrics API. The vulnerability exists because the Metrics API publishes all unprotected environment variables available to each Apache Solr instance. While administrators can configure which environment variables to hide, the default exclusion list is only designed to protect known secret Java system properties, leaving host-level environment variables potentially exposed.
Unlike Java system properties that are set per-process, environment variables may be set for the entire host and cannot be strictly defined within Solr's configuration. This architectural limitation means that sensitive credentials, API keys, or configuration data stored in environment variables could be inadvertently exposed to authenticated users with the "metrics-read" permission.
Critical Impact
Authenticated users with "metrics-read" permission can access sensitive host environment variables including potential credentials, API keys, and configuration secrets through the Solr Metrics API.
Affected Products
- Apache Solr versions 9.0.0 through 9.2.x
- Apache Solr instances with Metrics API enabled
- Solr Cloud deployments with users having "metrics-read" permission
Discovery Timeline
- 2024-01-15 - CVE-2023-50290 published to NVD
- 2025-05-09 - Last updated in NVD database
Technical Details for CVE-2023-50290
Vulnerability Analysis
This vulnerability falls under CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor). The Solr Metrics API is designed to provide operational metrics for monitoring and administration purposes. However, the API's default behavior of exposing all environment variables creates a significant information disclosure risk.
The vulnerability is particularly concerning in containerized environments where environment variables are commonly used to inject configuration values, database credentials, and service API keys. Since the Metrics API requires only the "metrics-read" permission—a relatively common privilege for monitoring users—the attack surface extends beyond administrative accounts to potentially include lower-privileged monitoring or read-only accounts.
The network-accessible nature of this vulnerability means that any authenticated user with appropriate permissions can exploit it remotely without requiring local access to the Solr server.
Root Cause
The root cause stems from the Solr Metrics API's overly permissive default configuration regarding environment variable exposure. The default exclusion list was designed primarily to protect Java system properties that contain sensitive information, but fails to account for the broader scope of environment variables that may exist at the host or container level.
Environment variables, unlike Java system properties, cannot be strictly controlled within Solr's configuration framework. This design limitation means that sensitive data passed to Solr through environment variables—a common pattern in modern deployment practices—is exposed through the Metrics API.
Attack Vector
An attacker with valid credentials and the "metrics-read" permission can exploit this vulnerability by querying the Solr Metrics API endpoint. The attack requires network access to the Solr instance and authenticated access with appropriate permissions.
The exploitation workflow involves querying the /solr/admin/metrics endpoint with a valid session. The response includes all environment variables that are not explicitly hidden in the configuration. In environments where sensitive credentials are passed via environment variables (such as AWS_SECRET_ACCESS_KEY, DATABASE_PASSWORD, or application-specific secrets), these values would be returned in the API response.
For Solr Cloud deployments with proper authorization configured, only users explicitly granted "metrics-read" permission can access this data. However, in deployments without authorization or with overly permissive role assignments, the exposure risk increases significantly.
Detection Methods for CVE-2023-50290
Indicators of Compromise
- Unusual or repeated queries to the /solr/admin/metrics endpoint from unexpected user accounts
- Access to Metrics API from non-monitoring IP addresses or user accounts
- Log entries showing metrics requests from recently created or compromised accounts
- Increased frequency of metrics API calls beyond normal operational patterns
Detection Strategies
- Monitor Solr access logs for requests to /solr/admin/metrics and correlate with authorized monitoring accounts
- Implement alerting for metrics API access from user accounts not designated for monitoring purposes
- Review audit logs for users with "metrics-read" permission accessing the Metrics API from unusual locations
- Deploy network-level monitoring to detect anomalous traffic patterns to Solr administrative endpoints
Monitoring Recommendations
- Enable detailed audit logging for all Solr administrative API endpoints
- Configure SIEM rules to alert on Metrics API access outside of expected monitoring schedules
- Regularly review the list of users and roles with "metrics-read" permission
- Monitor for credential rotation activities following potential exposure events
How to Mitigate CVE-2023-50290
Immediate Actions Required
- Upgrade Apache Solr to version 9.3.0 or later where environment variables are no longer published via the Metrics API
- Review and restrict the users and roles with "metrics-read" permission to only essential monitoring accounts
- Audit environment variables on Solr hosts to identify potentially exposed sensitive data
- Rotate any credentials or API keys that may have been exposed through environment variables
Patch Information
Apache has addressed this vulnerability in Solr version 9.3.0 and later. The fix removes the exposure of environment variables through the Metrics API entirely. Users running affected versions (9.0.0 through 9.2.x) should upgrade to version 9.3.0 or the latest available release.
For detailed patch information and security advisories, refer to the Apache Solr Security Advisory.
Workarounds
- Configure the SOLR_HIDDEN_ENV_VARS setting to explicitly list all sensitive environment variables that should not be exposed
- Implement network-level access controls to restrict Metrics API access to trusted monitoring systems only
- Consider using Java system properties instead of environment variables for sensitive configuration where possible
- Enable Solr authorization and carefully audit "metrics-read" permission assignments
# Configuration example - Add to solr.in.sh or environment configuration
# List all sensitive environment variables to hide from Metrics API
export SOLR_OPTS="$SOLR_OPTS -Dsolr.hiddenSysProps=AWS_SECRET_ACCESS_KEY,DATABASE_PASSWORD,API_KEY"
# Alternatively, configure environment variable exclusions in solr.xml
# or restrict network access to admin endpoints via firewall rules
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
