Apache Solr 8.2.0 DataImportHandler Parameter unknown vulnerability

A vulnerability has been found in Apache Solr 8.2.0 and classified as critical. Affected by this vulnerability is an unknown part of the component DataImportHandler. The manipulation as part of a Parameter leads to a unknown weakness. The impact remains unknown. The summary by CVE is:

In Apache Solr, the DataImportHandler, an optional but popular module to pull in data from databases and other sources, has a feature in which the whole DIH configuration can come from a request's "dataConfig" parameter. The debug mode of the DIH admin screen uses this to allow convenient debugging / development of a DIH config. Since a DIH config can contain scripts, this parameter is a security risk. Starting with version 8.2.0 of Solr, use of this parameter requires setting the Java System property "enable.dih.dataConfigParam" to true.

The weakness was released 08/01/2019. The advisory is shared at issues.apache.org. This vulnerability is known as CVE-2019-0193 since 11/14/2018. Neither technical details nor an exploit are publicly available. The price for an exploit might be around USD $5k-$25k at the moment (estimation calculated on 08/02/2019).

There is no information about possible countermeasures known. It may be suggested to replace the affected object with an alternative product.

Vendor

Name

Class: Unknown
Local: Yes
Remote: No

Availability: 🔒
Status: Not defined

Price Prediction: 🔍
Current Price Estimation: 🔒

Threat Intelligenceinfoedit

Threat: 🔍
Adversaries: 🔍
Geopolitics: 🔍
Economy: 🔍
Predictions: 🔍
Remediation: 🔍Recommended: no mitigation known

0-Day Time: 🔒

11/14/2018 CVE assigned
08/01/2019 +260 days Advisory disclosed
08/02/2019 +1 days VulDB entry created
08/02/2019 +0 days VulDB last updateVendor: apache.org

Advisory: issues.apache.org

CVE: CVE-2019-0193 (🔒)

Created: 08/02/2019 11:52 AM
Complete: 🔍

Comments are closed.