VDB

GSD-2019-0193

GSD-2019-0193 PUBLISHED CVSS 7.199999809265137 HIGH

In Apache Solr, the DataImportHandler, an optional but popular module to pull in data from databases and other sources, has a feature in which the whole DIH configuration can come from a request's "dataConfig" parameter. The debug mode of the DIH admin screen uses this to allow convenient debugging / development of a DIH config. Since a DIH config can contain scripts, this parameter is a security risk. Starting with version 8.2.0 of Solr, use of this parameter requires setting the Java System property "enable.dih.dataConfigParam" to true.

Risk Scores

CVSS 3.1
7.199999809265137
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Affected Products

VendorProductVersions
ApacheApache SolrApache Solr all prior to 8.2.0

Timeline

  • Aug 1, 2019 CVE Published
  • Dec 16, 2019 PoC Published
  • Jun 14, 2023 PoC Published
  • Nov 2, 2024 PoC Published
  • Nov 19, 2024 PoC Published
  • Dec 24, 2024 PoC Published
  • Dec 27, 2024 PoC Published
  • Jan 5, 2025 PoC Published
  • Jan 13, 2025 PoC Published
  • Jan 23, 2025 PoC Published
  • Jan 30, 2025 PoC Published
  • Feb 9, 2025 PoC Published

References

…and 3 more

Open in Interactive Console →
$ Console Community · 100/wk Open console ›