CVE-2019-0193 – org.apache.solr:solr-core

Package

Manager: maven
Name: org.apache.solr:solr-core
Vulnerable Version: >=0 <8.2.0

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.93129 pctl0.99783

Details

XML External Entity (XXE) Injection in Apache Solr In Apache Solr, the DataImportHandler, an optional but popular module to pull in data from databases and other sources, has a feature in which the whole DIH configuration can come from a request's "dataConfig" parameter. The debug mode of the DIH admin screen uses this to allow convenient debugging / development of a DIH config. Since a DIH config can contain scripts, this parameter is a security risk. Starting with version 8.2.0 of Solr, use of this parameter requires setting the Java System property "enable.dih.dataConfigParam" to true.

Metadata

Created: 2019-08-01T19:17:35Z
Modified: 2024-07-25T19:57:27Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/08/GHSA-3gm7-v7vw-866c/GHSA-3gm7-v7vw-866c.json
CWE IDs: ["CWE-94"]
Alternative ID: GHSA-3gm7-v7vw-866c
Finding: F184
Auto approve: 1