Execution with Unnecessary Privileges

Summary

Core creation allows users to replace "trusted" configset files with arbitrary configuration Solr instances that (1) use the "FileSystemConfigSetService" component (the default in "standalone" or "user-managed" mode), and (2) running without authentication and authorization are vulnerable to a sort of privilege escalation wherein individual "trusted" configset files can be ignored in favor of potentially-untrusted replacements available elsewhere on the filesystem. These replacement config files are treated as "trusted" and can use `<lib>` tags to add to Solr's classpath, which an attacker might use to load malicious code as a "searchComponent" or other plugin. This issue affects org.apache.solr:solr-core package versions through 9.7.0. Users can protect against the vulnerability by enabling authentication and authorization on their Solr clusters or switching to "SolrCloud" (and away from "FileSystemConfigSetService"). Users are also recommended to upgrade to Solr 9.8.0, which mitigates this issue by disabling the use of `<lib>` tags by default.