Apache Solr 5.x <= 5.5.5 or 6.x <= 6.6.5 Deserialization Vulnerability (CVE-2019-0192)

High Nessus Plugin ID 126447


The remote web server contains a Java application that is affected by a remote code execution vulnerability.


The version of Apache Solr running on the remote web server is affected by a remote code execution vulnerability in the Config API due to unsafe deserialization of Java objects. An unauthenticated, remote attacker can exploit this, via an HTTP POST request that points the JMX server to a malicious RMI server. An attacker could then send a crafted serialized Java object to the server, to execute arbitrary code.


Upgrade to Apache Solr version 7.0 or later, refer to the vendor advisory for relevant patch and configuration settings.

See Also



Plugin Details

Severity: High

ID: 126447

File Name: apache_solr_cve-2019-0192.nbin

Version: 1.7

Type: remote

Family: CGI abuses

Published: 2019/07/03

Updated: 2019/12/03

Dependencies: 71843

Risk Information

Risk Factor: High

CVSS Score Source: CVE-2019-0192

CVSS v2.0

Base Score: 7.5

Temporal Score: 5.5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

Temporal Vector: CVSS2#E:U/RL:OF/RC:C

CVSS v3.0

Base Score: 9.8

Temporal Score: 8.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:apache:solr

Required KB Items: installed_sw/Apache Solr

Exploit Ease: No known exploits are available

Patch Publication Date: 2019/03/07

Vulnerability Publication Date: 2019/03/07

Reference Information

CVE: CVE-2019-0192

BID: 107318