CVE-2019-17558

HIGH KEV NUCLEI

Apache Solr < 7.7.3 - Injection

Title source: rule

Description

Apache Solr 5.0.0 to Apache Solr 8.3.1 are vulnerable to a Remote Code Execution through the VelocityResponseWriter. A Velocity template can be provided through Velocity templates in a configset `velocity/` directory or as a parameter. A user defined configset could contain renderable, potentially malicious, templates. Parameter provided templates are disabled by default, but can be enabled by setting `params.resource.loader.enabled` by defining a response writer with that setting set to `true`. Defining a response writer requires configuration API access. Solr 8.4 removed the params resource loader entirely, and only enables the configset-provided template rendering when the configset is `trusted` (has been uploaded by an authenticated user).

Exploits (8)

exploitdb WORKING POC VERIFIED

by Metasploit · rubyremotemultiple

https://www.exploit-db.com/exploits/48338

View Code ZIP pw:eip

exploitdb WORKING POC

by @l3x_wong · pythonwebappsjava

https://www.exploit-db.com/exploits/47572

View Code ZIP pw:eip

nomisec WORKING POC 4,275 stars

by zhzyker · remote

https://github.com/zhzyker/exphub

View Code ZIP pw:eip

nomisec WORKING POC 2 stars

by Ma1Dong · remote

https://github.com/Ma1Dong/Solr_CVE-2019-17558

View Code ZIP pw:eip

nomisec SUSPICIOUS 1 stars

by thelostworldFree · poc

https://github.com/thelostworldFree/CVE-2019-17558_Solr_Vul_Tool

View Code ZIP pw:eip

nomisec WRITEUP

by rogerzeferino · poc

https://github.com/rogerzeferino/Apache-Solr-RCE-CVE-2019-17558

View Code ZIP pw:eip

nomisec SUSPICIOUS

by xkyrage · poc

https://github.com/xkyrage/Exploit_CVE-2019-17558-RCE

View Code ZIP pw:eip

metasploit WORKING POC EXCELLENT

by s00py, jas502n, AleWong · rubypocjava

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/solr_velocity_rce.rb

View Code ZIP pw:eip

Nuclei Templates (1)

Apache Solr <=8.3.1 - Remote Code Execution

HIGHby pikpikcu,madrobot

Shodan: cpe:"cpe:2.3:a:apache:solr" || http.title:"apache solr" || http.title:"solr admin"

FOFA: title="solr admin" || title="apache solr"

References (30)

[Exploit, Third Party Advisory, VDB Entry] http://packetstormsecurity.com/files/157078/Apache-Solr-8.3.0-Velocity-Template-Remote-Code-Execution.html

[Exploit, Issue Tracking, Patch, Vendor Advisory] https://issues.apache.org/jira/browse/SOLR-13971

[Mailing List] https://lists.apache.org/thread.html/r0b7b9d4113e6ec1ae1d3d0898c645f758511107ea44f0f3a1210c5d5%40%3Cissues.lucene.apache.org%3E

[Mailing List] https://lists.apache.org/thread.html/r12ab2cb15a34e49b4fecb5b2bdd7e10f3e8b7bf1f4f47fcde34d3a7c%40%3Cissues.lucene.apache.org%3E

[Mailing List] https://lists.apache.org/thread.html/r19d23e8640236a3058b4d6c23e5cd663fde182255f5a9d63e0606a66%40%3Cdev.lucene.apache.org%3E

[Mailing List] https://lists.apache.org/thread.html/r1d4a247329a8478073163567bbc8c8cb6b49c6bfc2bf58153a857af1%40%3Ccommits.druid.apache.org%3E

[Mailing List] https://lists.apache.org/thread.html/r204ba2a9ea750f38d789d2bb429cc0925ad6133deea7cbc3001d96b5%40%3Csolr-user.lucene.apache.org%3E

[Mailing List] https://lists.apache.org/thread.html/r25f1bd4545617f5b86dde27b4c30fec73117af65598a30e20209739a%40%3Cissues.lucene.apache.org%3E

[Issue Tracking, Mailing List] https://lists.apache.org/thread.html/r339865b276614661770c909be1dd7e862232e3ef0af98bfd85686b51%40%3Cdev.lucene.apache.org%3E

[Issue Tracking, Mailing List] https://lists.apache.org/thread.html/r36e35fd76239a381643555966fb3e72139e018d52d76544fb42f96d8%40%3Cissues.lucene.apache.org%3E

[Exploit, Mailing List] https://lists.apache.org/thread.html/r5074d814d3a8c75df4b20e66bfd268ee0a73ddea7e85070cec3ae78d%40%3Cissues.lucene.apache.org%3E

[Mailing List] https://lists.apache.org/thread.html/r58c58fe51c87bc30ee13bb8b4c83587f023edb349018705208e65b37%40%3Cissues.lucene.apache.org%3E

[Mailing List] https://lists.apache.org/thread.html/r5dc200f7337093285bac40e6d5de5ea66597c3da343a0f7553f1bb12%40%3Csolr-user.lucene.apache.org%3E

[Mailing List] https://lists.apache.org/thread.html/r79c7e75f90e735fd32c4e3e97340625aab66c09dfe8c4dc0ab768b69%40%3Csolr-user.lucene.apache.org%3E

[Mailing List] https://lists.apache.org/thread.html/r7b89b3dcfc1b6c52dd8d610b897ac98408245040c92b484fe97a51a2%40%3Csolr-user.lucene.apache.org%3E

[Mailing List] https://lists.apache.org/thread.html/r7f21ab40a9b17b1a703db84ac56773fcabacd4cc1eb5c4700d17c071%40%3Cissues.lucene.apache.org%3E

[Mailing List] https://lists.apache.org/thread.html/r8a36e4f92f4449dec517e560e1b55639f31b3aca26c37bbad45e31de%40%3Cissues.lucene.apache.org%3E

[Mailing List] https://lists.apache.org/thread.html/r8e7a3c253a695a7667da0b0ec57f9bb0e31f039e62afbc00a1d96f7b%40%3Csolr-user.lucene.apache.org%3E

[Mailing List] https://lists.apache.org/thread.html/r9271d030452170ba6160c022757e1b5af8a4c9ccf9e04164dec02e7f%40%3Cissues.lucene.apache.org%3E

[Mailing List] https://lists.apache.org/thread.html/r99c3f7ec3a079e2abbd540ecdb55a0e2a0f349ca7084273a12e87aeb%40%3Cissues.lucene.apache.org%3E

... and 10 more

Scores

CVSS v3 7.5

EPSS 0.9447

EPSS Percentile 100.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

Details

CISA KEV 2021-11-03

VulnCheck KEV 2021-11-03

InTheWild.io 2021-07-23

ENISA EUVD EUVD-2020-0320

CWE

CWE-74

Status published

Products (7)

apache/solr 5.0.0 - 7.7.3

oracle/primavera_unifier 16.1

oracle/primavera_unifier 16.2

oracle/primavera_unifier 18.8

oracle/primavera_unifier 19.12

oracle/primavera_unifier 17.7 - 17.12

org.apache.solr/solr-core 5.0.0 - 8.4.0Maven

Published Dec 30, 2019

KEV Added Nov 03, 2021

Tracked Since Feb 18, 2026