DescriptionA flaw was found in Apache Solr. The /admin/info/properties endpoint, which publishes the Solr process' Java system properties, is only setup to hide system properties that have "password" contained in the name. There are a number of sensitive system properties, such as "basicauth" and "aws.secretKey", that do not contain "password"; therefore, their values can be published via the vulnerable endpoint. This endpoint populates the list of System Properties on the home screen of the Solr Admin page, making the exposed credentials visible in the UI.A flaw was found in Apache Solr. The /admin/info/properties endpoint, which publishes the Solr process' Java system properties, is only setup to hide system properties that have "password" contained in the name. There are a number of sensitive system properties, such as "basicauth" and "aws.secretKey", that do not contain "password"; therefore, their values can be published via the vulnerable endpoint. This endpoint populates the list of System Properties on the home screen of the Solr Admin page, making the exposed credentials visible in the UI.