CVE-2019-0193
lucene-solr - security update
Description
In Apache Solr, the DataImportHandler, an optional but popular module to pull in data from databases and other sources, has a feature in which the whole DIH configuration can come from a request's "dataConfig" parameter. The debug mode of the DIH admin screen uses this to allow convenient debugging / development of a DIH config. Since a DIH config can contain scripts, this parameter is a security risk. Starting with version 8.2.0 of Solr, use of this parameter requires setting the Java System property "enable.dih.dataConfigParam" to true.
How to fix CVE-2019-0193
To remediate CVE-2019-0193, upgrade the affected package to a fixed version below.
- —upgrade to 3.6.2+dfsg-22 or later
- —upgrade to 3.6.2+dfsg-5+deb8u3 or later
- —upgrade to 3.6.2+dfsg-10+deb9u3 or later
- —upgrade to 8.2.0 or later
Is CVE-2019-0193 being exploited?
Yes — CVE-2019-0193 is on the CISA Known Exploited Vulnerabilities (KEV) catalog. Patch immediately.
Affected packages (4)
- from 0, < 3.6.2+dfsg-22
- from 0, < 3.6.2+dfsg-5+deb8u3
- from 0, < 3.6.2+dfsg-10+deb9u3
- from 0, < 8.2.0
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH7.2 | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:H |