CVE-2019-17558HIGH
New! CVE Severity Now Using CVSS v3
The calculated severity for CVEs has been updated to use CVSS v3 by default. CVEs that do not have a CVSS v3 score will fall back CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.
Description
Apache Solr 5.0.0 to Apache Solr 8.3.1 are vulnerable to a Remote Code Execution through the VelocityResponseWriter. A Velocity template can be provided through Velocity templates in a configset `velocity/` directory or as a parameter. A user defined configset could contain renderable, potentially malicious, templates. Parameter provided templates are disabled by default, but can be enabled by setting `params.resource.loader.enabled` by defining a response writer with that setting set to `true`. Defining a response writer requires configuration API access. Solr 8.4 removed the params resource loader entirely, and only enables the configset-provided template rendering when the configset is `trusted` (has been uploaded by an authenticated user).
References
https://issues.apache.org/jira/browse/SOLR-13971
https://lists.apache.org/thread.html/[email protected]%3Cissues.lucene.apache.org%3E
https://lists.apache.org/thread.html/[email protected]%3Cissues.lucene.apache.org%3E
https://lists.apache.org/thread.html/[email protected]%3Cdev.lucene.apache.org%3E
https://lists.apache.org/thread.html/[email protected]%3Ccommits.druid.apache.org%3E
https://lists.apache.org/thread.html/[email protected]%3Csolr-user.lucene.apache.org%3E
https://lists.apache.org/thread.html/[email protected]%3Cissues.lucene.apache.org%3E
https://lists.apache.org/thread.html/[email protected]%3Cdev.lucene.apache.org%3E
https://lists.apache.org/thread.html/[email protected]%3Cissues.lucene.apache.org%3E
https://lists.apache.org/thread.html/[email protected]%3Cissues.lucene.apache.org%3E
https://lists.apache.org/thread.html/[email protected]%3Cissues.lucene.apache.org%3E
https://lists.apache.org/thread.html/[email protected]%3Csolr-user.lucene.apache.org%3E
https://lists.apache.org/thread.html/[email protected]%3Csolr-user.lucene.apache.org%3E
https://lists.apache.org/thread.html/[email protected]%3Csolr-user.lucene.apache.org%3E
https://lists.apache.org/thread.html/[email protected]%3Cissues.lucene.apache.org%3E
https://lists.apache.org/thread.html/[email protected]%3Cissues.lucene.apache.org%3E
https://lists.apache.org/thread.html/[email protected]%3Csolr-user.lucene.apache.org%3E
https://lists.apache.org/thread.html/[email protected]%3Cissues.lucene.apache.org%3E
https://lists.apache.org/thread.html/[email protected]%3Cissues.lucene.apache.org%3E
https://lists.apache.org/thread.html/[email protected]%3Cissues.lucene.apache.org%3E
https://lists.apache.org/thread.html/[email protected]%3Cissues.lucene.apache.org%3E
https://lists.apache.org/thread.html/[email protected]%3Cissues.lucene.apache.org%3E
https://lists.apache.org/thread.html/[email protected]%3Ccommits.submarine.apache.org%3E
https://lists.apache.org/thread.html/[email protected]%3Cissues.ambari.apache.org%3E
https://lists.apache.org/thread.html/[email protected]%3Cissues.lucene.apache.org%3E
https://lists.apache.org/thread.html/[email protected]%3Csolr-user.lucene.apache.org%3E
https://lists.apache.org/thread.html/[email protected]%3Cissues.lucene.apache.org%3E
Details
Source: MITRE
Published: 2019-12-30
Updated: 2021-03-25
Type: CWE-94
Risk Information
CVSS v2
Base Score: 6
Vector: AV:N/AC:M/Au:S/C:P/I:P/A:P
Impact Score: 6.4
Exploitability Score: 6.8
Severity: MEDIUM
CVSS v3
Base Score: 7.5
Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Impact Score: 5.9
Exploitability Score: 1.6
Severity: HIGH
Vulnerable Software
Configuration 1
OR
cpe:2.3:a:apache:solr:*:*:*:*:*:*:*:* versions from 5.0.0 to 8.3.1 (inclusive)
Configuration 2
OR
cpe:2.3:a:oracle:primavera_unifier:16.1:*:*:*:*:*:*:*
cpe:2.3:a:oracle:primavera_unifier:16.2:*:*:*:*:*:*:*
cpe:2.3:a:oracle:primavera_unifier:*:*:*:*:*:*:*:* versions from 17.7 to 17.12 (inclusive)
Tenable Plugins
| ID | Name | Product | Family | Severity |
|---|---|---|---|---|
| 141641 | Oracle Primavera Unifier (Oct 2020 CPU) | Nessus | CGI abuses | high |
| 134190 | FreeBSD : Solr -- multiple vulnerabilities (e59cb761-5ad8-11ea-abb7-001b217b3468) | Nessus | FreeBSD Local Security Checks | high |
| 98931 | Apache Solr 5.0.0 < 8.4.0 Remote Code Execution | Web Application Scanning | Component Vulnerability | high |
| 98924 | Apache Solr < 8.4.0 Remote Code Execution | Web Application Scanning | Component Vulnerability | high |
| 132583 | Apache Solr < 8.4.0 Remote Code Execution | Nessus | CGI abuses | high |
| 131734 | Apache Solr Config API Velocity Template RCE (Direct Check) | Nessus | CGI abuses | high |