CVE-2020-13941
https://notcve.org/view.php?id=CVE-2020-13941
Reported in SOLR-14515 (private) and fixed in SOLR-14561 (public), released in Solr version 8.6.0. The Replication handler (https://lucene.apache.org/solr/guide/8_6/index-replication.html#http-api-commands-for-the-replicationhandler) allows commands backup, restore and deleteBackup. Each of these take a location parameter, which was not validated, i.e you could read/write to any location the solr user can access. Reportado en SOLR-14515 (privado) y corregido en SOLR-14561 (público), publicado en Solr versión 8.6.0. El manejador de Replicación (https://lucene.apache.org/solr/guide/8_6/index-replication.html#http-api-commands-for-the-replicationhandler) permite una copia de seguridad, restauración y eliminación de copias de seguridad de los comandos. • https://lists.apache.org/thread.html/r1d4a247329a8478073163567bbc8c8cb6b49c6bfc2bf58153a857af1%40%3Ccommits.druid.apache.org%3E https://lists.apache.org/thread.html/rbcd9dff009ed19ffcc2b09784595fc1098fc802a5472f81795f893be%40%3Ccommits.lucene.apache.org%3E https://lists.apache.org/thread.html/rc400db37710ee79378b6c52de3640493ff538c2beb41cefdbbdf2ab8%40%3Ccommits.submarine.apache.org%3E https://lists.apache.org/thread.html/rf54e7912b7d2b72c63ec54a7afa4adcbf16268dcc63253767dd67d60%40%3Cgeneral.lucene.apache.org%3E • CWE-20: Improper Input Validation •
CVE-2019-17558 – Apache Solr VelocityResponseWriter Plug-In Remote Code Execution Vulnerability
https://notcve.org/view.php?id=CVE-2019-17558
Apache Solr 5.0.0 to Apache Solr 8.3.1 are vulnerable to a Remote Code Execution through the VelocityResponseWriter. A Velocity template can be provided through Velocity templates in a configset `velocity/` directory or as a parameter. A user defined configset could contain renderable, potentially malicious, templates. Parameter provided templates are disabled by default, but can be enabled by setting `params.resource.loader.enabled` by defining a response writer with that setting set to `true`. Defining a response writer requires configuration API access. • https://www.exploit-db.com/exploits/47572 https://www.exploit-db.com/exploits/48338 http://packetstormsecurity.com/files/157078/Apache-Solr-8.3.0-Velocity-Template-Remote-Code-Execution.html https://issues.apache.org/jira/browse/SOLR-13971 https://lists.apache.org/thread.html/r0b7b9d4113e6ec1ae1d3d0898c645f758511107ea44f0f3a1210c5d5%40%3Cissues.lucene.apache.org%3E https://lists.apache.org/thread.html/r12ab2cb15a34e49b4fecb5b2bdd7e10f3e8b7bf1f4f47fcde34d3a7c%40%3Cissues.lucene.apache.org%3E https://lists.apache.org/thread.html/r • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') •
CVE-2019-12409
https://notcve.org/view.php?id=CVE-2019-12409
The 8.1.1 and 8.2.0 releases of Apache Solr contain an insecure setting for the ENABLE_REMOTE_JMX_OPTS configuration option in the default solr.in.sh configuration file shipping with Solr. If you use the default solr.in.sh file from the affected releases, then JMX monitoring will be enabled and exposed on RMI_PORT (default=18983), without any authentication. If this port is opened for inbound traffic in your firewall, then anyone with network access to your Solr nodes will be able to access JMX, which may in turn allow them to upload malicious code for execution on the Solr server. Apache Solr versiones 8.1.1 y 8.2.0, contiene una configuración no segura para la opción de configuración ENABLE_REMOTE_JMX_OPTS en el archivo de configuración predeterminado solr.in.sh enviado con Solr. Si utiliza el archivo predeterminado solr.in.sh de las versiones afectadas, entonces la supervisión JMX será habilitada y expuesta en RMI_PORT (default=18983), sin ninguna autenticación. • https://github.com/jas502n/CVE-2019-12409 https://github.com/DrunkenShells/Disclosures/tree/master/CVE-2019-12409-RCE%20Vulnerability%20Due%20to%20Bad%20Defalut%20Config-Apache%20Solr https://lists.apache.org/thread.html/47e112035b4aa67ece3b75dbcd1b9c9212895b9dfe2a71f6f7c174e2%40%3Cannounce.apache.org%3E https://lists.apache.org/thread.html/6640c7e370fce2b74e466a605a46244ccc40666ad9e3064a4e04a85d%40%3Csolr-user.lucene.apache.org%3E https://lists.apache.org/thread.html/925cdb49ceae78baddb45da7beb9b4d2b1ddc4a8e318c65e91fb4e87%40%3Cissues.lucene.apache.org%3E https: • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVE-2019-0193 – Apache Solr DataImportHandler Code Injection Vulnerability
https://notcve.org/view.php?id=CVE-2019-0193
In Apache Solr, the DataImportHandler, an optional but popular module to pull in data from databases and other sources, has a feature in which the whole DIH configuration can come from a request's "dataConfig" parameter. The debug mode of the DIH admin screen uses this to allow convenient debugging / development of a DIH config. Since a DIH config can contain scripts, this parameter is a security risk. Starting with version 8.2.0 of Solr, use of this parameter requires setting the Java System property "enable.dih.dataConfigParam" to true. En Solr de Apache, el DataImportHandler, un módulo opcional pero popular para extraer datos de bases de datos y otras fuentes, presenta una funcionalidad en la que toda la configuración de DIH puede provenir del parámetro "dataConfig" de una petición. • https://github.com/jas502n/CVE-2019-0193 https://github.com/xConsoIe/CVE-2019-0193 https://github.com/jaychouzzk/CVE-2019-0193-exp https://issues.apache.org/jira/browse/SOLR-13669 https://lists.apache.org/thread.html/1addbb49a1fc0947fb32ca663d76d93cfaade35a4848a76d4b4ded9c%40%3Cissues.lucene.apache.org%3E https://lists.apache.org/thread.html/42cc4d334ba33905b872a0aa00d6a481391951c8b1450f01b077ce74%40%3Cissues.lucene.apache.org%3E https://lists.apache.org/thread.html/55880d48e38ba9e8c41a3b9e41051dbfdef63b86b0cfeb32967edf03%40%3Cissues.lucene.apac • CWE-94: Improper Control of Generation of Code ('Code Injection') •