Cyber Resilience

CVE-2019-0193

HighCISA KEVActive ExploitationEUVD ExploitedRCE

Published: 01 August 2019

Published
01 August 2019
Modified
27 October 2025
KEV Added
10 December 2021
Patch
CVSS Score v3.1 7.2 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.9306 99.8th percentile
Risk Priority 90 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2019-0193 is a high-severity Code Injection (CWE-94) vulnerability in Apache Solr. Its CVSS base score is 7.2 (High).

Operationally, ranked in the top 0.2% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 CM-6 (Configuration Settings) and CM-7 (Least Functionality).

Deeper analysis

In Apache Solr, the optional DataImportHandler module used to ingest data from databases and other sources contains a vulnerability that permits the full DIH configuration, including executable scripts, to be supplied through the "dataConfig" request parameter. This capability is exposed in the debug mode of the DIH admin screen for development convenience and is tracked under CWE-94. The issue affects Solr instances prior to version 8.2.0 where the parameter is enabled by default.

An attacker with administrative access to the DIH interface can submit a crafted request containing malicious script content in the dataConfig parameter, leading to remote code execution or other high-impact actions on the server. The CVSS 7.2 score reflects network attack vector, low complexity, and high confidentiality, integrity, and availability consequences when privileges are held.

Advisories and release notes indicate that Solr 8.2.0 and later disable the parameter by default; operators must explicitly set the Java system property "enable.dih.dataConfigParam" to true if the debug feature is required. The referenced Apache JIRA issue and mailing list threads document this change and the associated security rationale.

EU & UK References

Vulnerability details

In Apache Solr, the DataImportHandler, an optional but popular module to pull in data from databases and other sources, has a feature in which the whole DIH configuration can come from a request's "dataConfig" parameter. The debug mode of the…

more

DIH admin screen uses this to allow convenient debugging / development of a DIH config. Since a DIH config can contain scripts, this parameter is a security risk. Starting with version 8.2.0 of Solr, use of this parameter requires setting the Java System property "enable.dih.dataConfigParam" to true.

CWE(s)
KEV Date Added
10 December 2021

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

apache
solr
≤ 7.7.3 · 8.1.0 — 8.1.2
debian
debian linux
8.0, 9.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Disables the risky dataConfig parameter and DIH debug feature by default, directly eliminating the code-injection vector described in the CVE.

prevent

Requires explicit setting of enable.dih.dataConfigParam=false (or removal of the debug capability) so the vulnerable configuration cannot be supplied via request.

prevent

Mandates timely application of the Solr 8.2.0+ update that changes the insecure default and removes the unauthenticated script-execution path.

References