CVE-2019-0193

HIGH KEV NUCLEI

Apache Solr < 7.7.3 and 8.0.0-8.1.1 - Remote Code Execution via DataImportHandler dataConfig Parameter

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2019-0193 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added December 10, 2021. EIP tracks 5 public exploits from researchers including jas502n, 1135, xConsoIe. A Nuclei detection template is also available.

AI-analyzed exploit summary This repository contains a Python-based exploit for CVE-2019-0193, a remote code execution vulnerability in Apache Solr's DataImport Handler. The exploit automates the discovery of Solr cores and injects a malicious script via the URLDataSource configuration to achieve RCE.

Description

In Apache Solr, the DataImportHandler, an optional but popular module to pull in data from databases and other sources, has a feature in which the whole DIH configuration can come from a request's "dataConfig" parameter. The debug mode of the DIH admin screen uses this to allow convenient debugging / development of a DIH config. Since a DIH config can contain scripts, this parameter is a security risk. Starting with version 8.2.0 of Solr, use of this parameter requires setting the Java System property "enable.dih.dataConfigParam" to true.

Exploits (5)

nomisec WORKING POC 91 stars
by jas502n · remote-auth
https://github.com/jas502n/CVE-2019-0193

This repository contains a Python-based exploit for CVE-2019-0193, a remote code execution vulnerability in Apache Solr's DataImport Handler. The exploit automates the discovery of Solr cores and injects a malicious script via the URLDataSource configuration to achieve RCE.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Apache Solr < 8.12
No auth needed
Prerequisites: Exposed Solr admin interface · DataImport Handler enabled
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 66 stars
by 1135 · remote-auth
https://github.com/1135/solr_exploit

This repository provides a proof-of-concept exploit for CVE-2019-0193, an Apache Solr remote code execution vulnerability. It includes two exploit methods: one using URLDataSource (requires outbound network access) and another using ContentStreamDataSource (no outbound access required). Both methods leverage Solr's DataImportHandler to execute arbitrary commands via crafted XML configurations.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Apache Solr (versions affected by CVE-2019-0193)
No auth needed
Prerequisites: Solr instance with DataImportHandler enabled · Network access to the Solr admin interface · For Exploit1: Outbound internet access from the Solr server
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 7 stars
by xConsoIe · poc
https://github.com/xConsoIe/CVE-2019-0193

This PoC exploits CVE-2019-0193, a remote code execution vulnerability in Oracle WebLogic Server. It manipulates the work directory path to upload a JSP webshell, leveraging improper input validation in the administrative console.

Classification
Working Poc 90%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Oracle WebLogic Server
Auth required
Prerequisites: Access to the WebLogic administrative console · Valid credentials for authentication
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 1 stars
by jaychouzzk · remote
https://github.com/jaychouzzk/CVE-2019-0193-exp

This repository contains a proof-of-concept exploit for CVE-2019-0193, targeting Apache Solr's DataImportHandler. The exploit leverages a script transformer to execute arbitrary commands, resulting in a reverse shell to a specified IP and port.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: Apache Solr (versions affected by CVE-2019-0193)
No auth needed
Prerequisites: Access to Solr's DataImportHandler endpoint · Network connectivity to the target
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC
by freeFV · remote
https://github.com/freeFV/ApacheSolrRCE

This repository contains a functional exploit for CVE-2019-0193, targeting Apache Solr RCE via DataImportHandler misconfiguration. It automates the process of enabling remote streaming, executing arbitrary code, and writing a webshell.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Apache Solr (versions affected by CVE-2019-0193)
No auth needed
Prerequisites: Access to Solr admin interface · DataImportHandler enabled
devstral-2 · analyzed Feb 16, 2026 Full analysis →

Nuclei Templates (1)

Apache Solr DataImportHandler <8.2.0 - Remote Code Execution
HIGHby pdteam
Shodan: cpe:"cpe:2.3:a:apache:solr" || http.title:"apache solr" || http.title:"solr admin"
FOFA: title="solr admin" || title="apache solr"

References (23)

Core 23
Core References
Mitigation, Vendor Advisory x_refsource_confirm
https://issues.apache.org/jira/browse/SOLR-13669
Mailing List, Third Party Advisory mailing-list x_refsource_mlist
https://lists.debian.org/debian-lts-announce/2019/10/msg00013.html
Mailing List, Third Party Advisory mailing-list x_refsource_mlist
https://lists.debian.org/debian-lts-announce/2020/08/msg00025.html

Scores

CVSS v3 7.2
EPSS 0.9306
EPSS Percentile 99.8%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation active
Automatable no
Technical Impact total

Details

CISA KEV 2021-12-10
VulnCheck KEV 2020-01-16
InTheWild.io 2021-04-08
ENISA EUVD EUVD-2019-0615
CWE
CWE-94
Status published
Products (4)
apache/solr < 7.7.3
debian/debian_linux 8.0
debian/debian_linux 9.0
org.apache.solr/solr-core 0 - 8.2.0Maven
Published Aug 01, 2019
KEV Added Dec 10, 2021
Tracked Since Feb 18, 2026