CVE-2019-17558
Scores
EPSS Score
0.9447
CVSS
3.x 7.5
Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
All CVSS Scores
Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Vector: AV:N/AC:H/Au:S/C:P/I:P/A:P
Description
Apache Solr 5.0.0 to Apache Solr 8.3.1 are vulnerable to a Remote Code Execution through the VelocityResponseWriter. A Velocity template can be provided through Velocity templates in a configset `velocity/` directory or as a parameter. A user defined configset could contain renderable, potentially malicious, templates. Parameter provided templates are disabled by default, but can be enabled by setting `params.resource.loader.enabled` by defining a response writer with that setting set to `true`. Defining a response writer requires configuration API access. Solr 8.4 removed the params resource loader entirely, and only enables the configset-provided template rendering when the configset is `trusted` (has been uploaded by an authenticated user).
Sources
CWEs
Related Vulnerabilities
Exploits
Exploit ID: CVE-2019-17558
Source: cisa
URL: https://www.cisa.gov/known-exploited-vulnerabilities-catalog
Reference Links
Vulnerable Software
Type: Configuration
Product: lucene-solr
Operating System: ubuntu bionic 18.04
{
"unfixed": true
}Source: ubuntu
Type: Configuration
Product: lucene-solr
Operating System: ubuntu disco 19.04
{
"unfixed": true
}Source: ubuntu
Type: Configuration
Product: lucene-solr
Operating System: ubuntu eoan 19.10
{
"unfixed": true
}Source: ubuntu
Type: Configuration
Product: lucene-solr
Operating System: ubuntu focal 20.04
{
"unaffected": true
}Source: ubuntu
Type: Configuration
Product: lucene-solr
Operating System: ubuntu groovy 20.10
{
"unfixed": true
}Source: ubuntu
Type: Configuration
Product: lucene-solr
Operating System: ubuntu hirsute 21.04
{
"unfixed": true
}Source: ubuntu
Type: Configuration
Product: lucene-solr
Operating System: ubuntu impish 21.10
{
"unfixed": true
}Source: ubuntu
Type: Configuration
Product: lucene-solr
Operating System: ubuntu jammy 22.04
{
"unaffected": true
}Source: ubuntu
Type: Configuration
Product: lucene-solr
Operating System: ubuntu kinetic 22.10
{
"unfixed": true
}Source: ubuntu
Type: Configuration
Product: lucene-solr
Operating System: ubuntu lunar 23.04
{
"unfixed": true
}Source: ubuntu
Type: Configuration
Product: lucene-solr
Operating System: ubuntu trusty 14.04
{
"unfixed": true
}Source: ubuntu
Type: Configuration
Product: lucene-solr
Operating System: ubuntu xenial 16.04
{
"unfixed": true
}Source: ubuntu
Type: Configuration
Product: lucene-solr
Operating System: debian
{
"unfixed": true
}Source: debian
Type: Configuration
Vendor: apache
Product: solr
Operating System: * * *
{
"cpe_match": [
{
"cpe23uri": "cpe:2.3:a:apache:solr:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.7.3",
"versionStartIncluding": "5.0.0",
"vulnerable": true
},
{
"cpe23uri": "cpe:2.3:a:apache:solr:*:*:*:*:*:*:*:*",
"versionEndExcluding": "8.4.0",
"versionStartIncluding": "8.0.0",
"vulnerable": true
}
],
"operator": "OR"
}Source: nvd
Type: Configuration
Vendor: oracle
Product: primavera_unifier
Operating System: * * *
{
"cpe_match": [
{
"cpe23uri": "cpe:2.3:a:oracle:primavera_unifier:*:*:*:*:*:*:*:*",
"versionEndIncluding": "17.12",
"versionStartIncluding": "17.7",
"vulnerable": true
},
{
"cpe23uri": "cpe:2.3:a:oracle:primavera_unifier:16.1:*:*:*:*:*:*:*",
"vulnerable": true
},
{
"cpe23uri": "cpe:2.3:a:oracle:primavera_unifier:16.2:*:*:*:*:*:*:*",
"vulnerable": true
},
{
"cpe23uri": "cpe:2.3:a:oracle:primavera_unifier:18.8:*:*:*:*:*:*:*",
"vulnerable": true
},
{
"cpe23uri": "cpe:2.3:a:oracle:primavera_unifier:19.12:*:*:*:*:*:*:*",
"vulnerable": true
}
],
"operator": "OR"
}Source: nvd