KEVIntel
Back to KEVs
7.2
CVSS
High

CVE-2019-0193

PUBLISHED

In Apache Solr, the DataImportHandler, an optional but popular module to pull in data from databases and other sources, has a feature in which the...

Exploited in the wild Remote Low complexity No user interaction
Vendor
Apache
Product
Apache Solr
Published
Aug 01, 2019
EPSS

Description

In Apache Solr, the DataImportHandler, an optional but popular module to pull in data from databases and other sources, has a feature in which the whole DIH configuration can come from a request's "dataConfig" parameter. The debug mode of the DIH admin screen uses this to allow convenient debugging / development of a DIH config. Since a DIH config can contain scripts, this parameter is a security risk. Starting with version 8.2.0 of Solr, use of this parameter requires setting the Java System property "enable.dih.dataConfigParam" to true.

apache java cisa nuclei_scanner

CVSS scores

CVSS v3.1 7.2 High

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CVSS v2.0 9.0

AV:N/AC:L/Au:S/C:C/I:C/A:C

Exploitation status

Exploited in the wild

Recorded 2021-12-10 00:00:00 UTC · Source

SSVC decision points

Exploitation
active
Automatable
No
Technical impact
total

References

Known exploited vulnerability sources

Catalogues that list this CVE as a known exploited vulnerability.

Source Added
CISA Dec 10, 2021
CISA Dec 10, 2021

Scanner integrations

Scanner Reference Detected
Nuclei https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2019/CVE-2019-0193.yaml Apr 25, 2025

Potential proof of concepts

These PoCs are unverified and could contain malware. Use at your own risk.

jas502n/CVE-2019-0193

github · Created 2019-08-09 06:27:39 UTC · 90 stars

Apache Solr DataImport Handler RCE

xConsoIe/CVE-2019-0193

github · Created 2019-03-18 13:18:01 UTC · 7 stars

Timeline

  • CVE ID Reserved

  • CVE Published to Public

  • Added to KEVIntel

  • Added to KEVIntel

  • Detected by Nuclei