CVE-2019-0193

HIGH KEV NUCLEI

Apache Solr < 7.7.3 - Code Injection

Title source: rule

Description

In Apache Solr, the DataImportHandler, an optional but popular module to pull in data from databases and other sources, has a feature in which the whole DIH configuration can come from a request's "dataConfig" parameter. The debug mode of the DIH admin screen uses this to allow convenient debugging / development of a DIH config. Since a DIH config can contain scripts, this parameter is a security risk. Starting with version 8.2.0 of Solr, use of this parameter requires setting the Java System property "enable.dih.dataConfigParam" to true.

Exploits (5)

nomisec WORKING POC 91 stars
by jas502n · remote-auth
https://github.com/jas502n/CVE-2019-0193
nomisec WORKING POC 66 stars
by 1135 · remote-auth
https://github.com/1135/solr_exploit
nomisec WORKING POC 7 stars
by xConsoIe · poc
https://github.com/xConsoIe/CVE-2019-0193
nomisec WORKING POC 1 stars
by jaychouzzk · remote
https://github.com/jaychouzzk/CVE-2019-0193-exp
nomisec WORKING POC
by freeFV · remote
https://github.com/freeFV/ApacheSolrRCE

Nuclei Templates (1)

Apache Solr DataImportHandler <8.2.0 - Remote Code Execution
HIGHby pdteam
Shodan: cpe:"cpe:2.3:a:apache:solr" || http.title:"apache solr" || http.title:"solr admin"
FOFA: title="solr admin" || title="apache solr"

References (23)

... and 3 more

Scores

CVSS v3 7.2
EPSS 0.9344
EPSS Percentile 99.8%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Details

CISA KEV 2021-12-10
VulnCheck KEV 2020-01-16
InTheWild.io 2021-04-08
ENISA EUVD EUVD-2019-0615
CWE
CWE-94
Status published
Products (4)
apache/solr < 7.7.3
debian/debian_linux 8.0
debian/debian_linux 9.0
org.apache.solr/solr-core 0 - 8.2.0Maven
Published Aug 01, 2019
KEV Added Dec 10, 2021
Tracked Since Feb 18, 2026