Enhancement: cves/2019/CVE-2019-0193.yaml by mp
parent
4634b2b0f1
commit
bfbe6ed427
|
@ -1,15 +1,16 @@
|
|||
id: CVE-2019-0193
|
||||
|
||||
info:
|
||||
name: Apache Solr - DataImportHandler RCE
|
||||
name: Apache Solr DataImportHandler <8.2.0 - Remote Code Execution
|
||||
author: pdteam
|
||||
severity: high
|
||||
description: In Apache Solr, the DataImportHandler, an optional but popular module to pull in data from databases and other sources, has a feature in which the whole DIH configuration can come from a request's "dataConfig" parameter. The debug mode of the DIH admin screen uses this to allow convenient debugging / development of a DIH config. Since a DIH config can contain scripts, this parameter is a security risk. Starting with version 8.2.0 of Solr, use of this parameter requires setting the Java System property "enable.dih.dataConfigParam" to true.
|
||||
description: Apache Solr is vulnerable to remote code execution vulnerabilities via the DataImportHandler, an optional but popular module to pull in data from databases and other sources. The module has a feature in which the whole DIH configuration can come from a request's "dataConfig" parameter. The debug mode of the DIH admin screen uses this to allow convenient debugging / development of a DIH config. Since a DIH config can contain scripts, this parameter is a security risk.
|
||||
remediation: Starting with version 8.2.0 of Solr, use of this parameter requires setting the Java System property "enable.dih.dataConfigParam" to true.
|
||||
reference:
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2019-0193
|
||||
- https://github.com/vulhub/vulhub/tree/master/solr/CVE-2019-0193
|
||||
- https://paper.seebug.org/1009/
|
||||
- https://issues.apache.org/jira/browse/SOLR-13669
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2019-0193
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
|
||||
cvss-score: 7.2
|
||||
|
@ -51,3 +52,5 @@ requests:
|
|||
- type: status
|
||||
status:
|
||||
- 200
|
||||
|
||||
# Enhanced by mp on 2022/06/15
|
||||
|
|
Loading…
Reference in New Issue