CVE-2019-0193 — Vulnetix

Try Vulnetix Request Demo

CVE-2019-0193 PUBLISHED KEV

In Apache Solr, the DataImportHandler, an optional but popular module to pull in data from databases and other sources, has a feature in which the whole DIH configuration can come from a request's "dataConfig" parameter. The debug mode of the DIH admin screen uses this to allow convenient debugging / development of a DIH config. Since a DIH config can contain scripts, this parameter is a security risk. Starting with version 8.2.0 of Solr, use of this parameter requires setting the Java System property "enable.dih.dataConfigParam" to true.

EPSS 93.58% · 99.8th percentile

Risk Scores

EPSS Score

93.58%

99.8th percentile

Affected Products

Vendor	Product	Versions
Ubuntu:Pro:16.04:LTS	lucene-solr	3.6.2+dfsg-8, 0, 3.6.2+dfsg-7
Ubuntu:Pro:14.04:LTS	lucene-solr	3.6.2+dfsg-2ubuntu0.1~esm2, 3.6.2+dfsg-2, 0
Ubuntu:Pro:18.04:LTS	lucene-solr	0, 3.6.2+dfsg-18~18.04, 3.6.2+dfsg-11

Timeline

CVE Published
Jan 19, 1970 VulnCheck XDB Entry
Jan 19, 1970 VulnCheck XDB Entry
Jan 19, 1970 VulnCheck XDB Entry
Jan 19, 1970 VulnCheck XDB Entry
Jan 20, 1970 VulnCheck XDB Entry
Dec 16, 2019 PoC Published
Jan 16, 2020 VulnCheck KEV Exploitation
Sep 3, 2020 PoC Published
Apr 8, 2021 VulnCheck KEV Exploitation
Apr 12, 2021 VulnCheck KEV Exploitation
Apr 14, 2021 EPSS Score

References

https://ubuntu.com/security/CVE-2019-0193 third-party-advisory
https://issues.apache.org/jira/browse/SOLR-13669 third-party-advisory
https://www.cve.org/CVERecord?id=CVE-2019-0193 third-party-advisory
https://www.cisa.gov/known-exploited-vulnerabilities-catalog third-party-advisory
https://ubuntu.com/security/notices/USN-7283-1 vendor-advisory

Open in Interactive Console →