CVSS: 9.8EPSS: 94%CPEs: 3EXPL: 2CVE-2019-0192 – solr: remote code execution due to unsafe deserialization
https://notcve.org/view.php?id=CVE-2019-0192
In Apache Solr versions 5.0.0 to 5.5.5 and 6.0.0 to 6.6.5, the Config API allows to configure the JMX server via an HTTP POST request. By pointing it to a malicious RMI server, an attacker could take advantage of Solr's unsafe deserialization to trigger remote code execution on the Solr side. En Apache Solr, desde la versión 5.0.0 hasta la 6.0.0 y desde la 6.0.0 hasta la 6.6.5, el API Config permite la configuración del servidor JMX con una petición HTTP POST. Al redirigirlo a un servidor RMI malicioso, un atacante podría aprovecharse de la deserialización insegura de Solr para desencadenar una ejecución remota de código en el lado de Solr.. A flaw was found in the Apache Solr's Config API, where it would permit the configuration of the JMX server via an HTTP POST request. • https://github.com/mpgn/CVE-2019-0192 https://github.com/Rapidsafeguard/Solr-RCE-CVE-2019-0192 http://mail-archives.us.apache.org/mod_mbox/www-announce/201903.mbox/%3CCAECwjAV1buZwg%2BMcV9EAQ19MeAWztPVJYD4zGK8kQdADFYij1w%40mail.gmail.com%3E http://www.securityfocus.com/bid/107318 https://access.redhat.com/errata/RHSA-2019:2413 https://lists.apache.org/thread.html/42c5682f4acd1d03bd963e4f47ae448d7cff66c16b19142773818892%40%3Cdev.lucene.apache.org%3E https://lists.apache.org/thread.html/53e4744b14fb7f1810405f8ff5531ab0953a23dd09ce8071ce87 • CWE-20: Improper Input Validation CWE-502: Deserialization of Untrusted Data •
CVSS: 5.5EPSS: 1%CPEs: 4EXPL: 1CVE-2018-8026
https://notcve.org/view.php?id=CVE-2018-8026
This vulnerability in Apache Solr 6.0.0 to 6.6.4 and 7.0.0 to 7.3.1 relates to an XML external entity expansion (XXE) in Solr config files (currency.xml, enumsConfig.xml referred from schema.xml, TIKA parsecontext config file). In addition, Xinclude functionality provided in these config files is also affected in a similar way. The vulnerability can be used as XXE using file/ftp/http protocols in order to read arbitrary local files from the Solr server or the internal network. The manipulated files can be uploaded as configsets using Solr's API, allowing to exploit that vulnerability. Esta vulnerabilidad en Apache Solr, de la versión 6.0.0 a la 6.6.4 y de la versión 7.0.0 a la 7.3.1, está relacionada con una expansión XEE (XML External Entity) en los archivos de configuración de Solr (currency.xml, enumsConfig.xml referido desde schema.xml y el archivo de configuración TIKA parsecontext). • http://www.securityfocus.com/bid/104690 https://issues.apache.org/jira/browse/SOLR-12450 https://mail-archives.apache.org/mod_mbox/lucene-solr-user/201807.mbox/%3C0cdc01d413b7%24f97ba580%24ec72f080%24%40apache.org%3E https://security.netapp.com/advisory/ntap-20190307-0002 • CWE-611: Improper Restriction of XML External Entity Reference •
CVSS: 5.5EPSS: 0%CPEs: 2EXPL: 0CVE-2018-8010
https://notcve.org/view.php?id=CVE-2018-8010
This vulnerability in Apache Solr 6.0.0 to 6.6.3, 7.0.0 to 7.3.0 relates to an XML external entity expansion (XXE) in Solr config files (solrconfig.xml, schema.xml, managed-schema). In addition, Xinclude functionality provided in these config files is also affected in a similar way. The vulnerability can be used as XXE using file/ftp/http protocols in order to read arbitrary local files from the Solr server or the internal network. Users are advised to upgrade to either Solr 6.6.4 or Solr 7.3.1 releases both of which address the vulnerability. Once upgrade is complete, no other steps are required. • http://www.securityfocus.com/bid/104239 https://lists.apache.org/thread.html/r204ba2a9ea750f38d789d2bb429cc0925ad6133deea7cbc3001d96b5%40%3Csolr-user.lucene.apache.org%3E https://mail-archives.apache.org/mod_mbox/www-announce/201805.mbox/%3C08a801d3f0f9%24df46d300%249dd47900%24%40apache.org%3E • CWE-611: Improper Restriction of XML External Entity Reference •
CVSS: 7.5EPSS: 1%CPEs: 5EXPL: 0CVE-2018-1308
https://notcve.org/view.php?id=CVE-2018-1308
This vulnerability in Apache Solr 1.2 to 6.6.2 and 7.0.0 to 7.2.1 relates to an XML external entity expansion (XXE) in the `&dataConfig=<inlinexml>` parameter of Solr's DataImportHandler. It can be used as XXE using file/ftp/http protocols in order to read arbitrary local files from the Solr server or the internal network. Esta vulnerabilidad en Apache Solr 1.2 a 6.6.2 y 7.0.0 a 7.2.1 está relacionado con una expansión XEE (XML External Entity) en el parámetro `dataConfig=` del DataImportHandler de Solr. Puede emplearse como XEE mediante el uso de protocolos file/ftp/http para leer archivos locales arbitrarios del servicio Solr o de la red interna. • https://issues.apache.org/jira/browse/SOLR-11971 https://lists.apache.org/thread.html/708d94141126eac03011144a971a6411fcac16d9c248d1d535a39451%40%3Csolr-user.lucene.apache.org%3E https://lists.debian.org/debian-lts-announce/2018/04/msg00025.html https://mail-archives.apache.org/mod_mbox/www-announce/201804.mbox/%3C000001d3cf68%245ac69af0%241053d0d0%24%40apache.org%3E https://www.debian.org/security/2018/dsa-4194 • CWE-611: Improper Restriction of XML External Entity Reference •
CVSS: 10.0EPSS: 97%CPEs: 11EXPL: 2CVE-2017-12629 – Apache Solr 7.0.1 - XML External Entity Expansion / Remote Code Execution
https://notcve.org/view.php?id=CVE-2017-12629
Remote code execution occurs in Apache Solr before 7.1 with Apache Lucene before 7.1 by exploiting XXE in conjunction with use of a Config API add-listener command to reach the RunExecutableListener class. Elasticsearch, although it uses Lucene, is NOT vulnerable to this. Note that the XML external entity expansion vulnerability occurs in the XML Query Parser which is available, by default, for any query request with parameters deftype=xmlparser and can be exploited to upload malicious data to the /upload request handler or as Blind XXE using ftp wrapper in order to read arbitrary local files from the Solr server. Note also that the second vulnerability relates to remote code execution using the RunExecutableListener available on all affected versions of Solr. Ocurre una ejecución remota de código en Apache Solr en versiones anteriores a la 7.1 con Apache Lucene en versiones anteriores a la 7.1 explotando XXE junto con el uso de un comando add-listener de la API de configuración para alcanzar la clase RunExecutableListener. • https://www.exploit-db.com/exploits/43009 http://mail-archives.us.apache.org/mod_mbox/www-announce/201710.mbox/%3CCAOOKt51UO_6Vy%3Dj8W%3Dx1pMbLW9VJfZyFWz7pAnXJC_OAdSZubA%40mail.gmail.com%3E http://openwall.com/lists/oss-security/2017/10/13/1 http://www.securityfocus.com/bid/101261 https://access.redhat.com/errata/RHSA-2017:3123 https://access.redhat.com/errata/RHSA-2017:3124 https://access.redhat.com/errata/RHSA-2017:3244 https://access.redhat.com/errata/RHSA-2017:3451 https:/ • CWE-138: Improper Neutralization of Special Elements CWE-611: Improper Restriction of XML External Entity Reference •