Vendor: The Apache Software Foundation
6.6.0 to 6.6.6
7.0.0 to 7.7.3
8.0.0 to 8.6.2
Solr prevents some features considered dangerous (which could be used for remote code execution) to be configured in a ConfigSet that's uploaded via API without authentication/authorization. The checks in place to prevent such features can be circumvented by using a combination of UPLOAD/CREATE actions.
Any of the following are enough to prevent this vulnerability:
- Disable UPLOAD command in ConfigSets API if not used by setting the system property: configset.upload.enabled to false 
- Use Authentication/Authorization and make sure unknown requests aren't allowed 
- Upgrade to Solr 8.6.3 or greater.
- If upgrading is not an option, consider applying the patch in
- No Solr API, including the Admin UI, is designed to be exposed to non-trusted parties. Tune your firewall so that only trusted computers and people are allowed access
Tomás Fernández Löbbe, András Salamon
- is fixed by
SOLR-14663 ConfigSets CREATE does not set trusted flag