CVE-2019-0193
Published: 01 August 2019
Summary
CVE-2019-0193 is a high-severity Code Injection (CWE-94) vulnerability in Apache Solr. Its CVSS base score is 7.2 (High).
Operationally, ranked in the top 0.2% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 CM-6 (Configuration Settings) and CM-7 (Least Functionality).
Deeper analysis
In Apache Solr, the optional DataImportHandler module used to ingest data from databases and other sources contains a vulnerability that permits the full DIH configuration, including executable scripts, to be supplied through the "dataConfig" request parameter. This capability is exposed in the debug mode of the DIH admin screen for development convenience and is tracked under CWE-94. The issue affects Solr instances prior to version 8.2.0 where the parameter is enabled by default.
An attacker with administrative access to the DIH interface can submit a crafted request containing malicious script content in the dataConfig parameter, leading to remote code execution or other high-impact actions on the server. The CVSS 7.2 score reflects network attack vector, low complexity, and high confidentiality, integrity, and availability consequences when privileges are held.
Advisories and release notes indicate that Solr 8.2.0 and later disable the parameter by default; operators must explicitly set the Java system property "enable.dih.dataConfigParam" to true if the debug feature is required. The referenced Apache JIRA issue and mailing list threads document this change and the associated security rationale.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2019-0615
Vulnerability details
In Apache Solr, the DataImportHandler, an optional but popular module to pull in data from databases and other sources, has a feature in which the whole DIH configuration can come from a request's "dataConfig" parameter. The debug mode of the…
more
DIH admin screen uses this to allow convenient debugging / development of a DIH config. Since a DIH config can contain scripts, this parameter is a security risk. Starting with version 8.2.0 of Solr, use of this parameter requires setting the Java System property "enable.dih.dataConfigParam" to true.
- CWE(s)
- KEV Date Added
- 10 December 2021
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Disables the risky dataConfig parameter and DIH debug feature by default, directly eliminating the code-injection vector described in the CVE.
Requires explicit setting of enable.dih.dataConfigParam=false (or removal of the debug capability) so the vulnerable configuration cannot be supplied via request.
Mandates timely application of the Solr 8.2.0+ update that changes the insecure default and removes the unauthenticated script-execution path.