CVE-2019-17558

Apache Solr VelocityResponseWriter Plug-In Remote Code Execution Vulnerability

Severity Score

7.5

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

Yes

*KEV

Decision

*SSVC

Descriptions

Apache Solr 5.0.0 to Apache Solr 8.3.1 are vulnerable to a Remote Code Execution through the VelocityResponseWriter. A Velocity template can be provided through Velocity templates in a configset `velocity/` directory or as a parameter. A user defined configset could contain renderable, potentially malicious, templates. Parameter provided templates are disabled by default, but can be enabled by setting `params.resource.loader.enabled` by defining a response writer with that setting set to `true`. Defining a response writer requires configuration API access. Solr 8.4 removed the params resource loader entirely, and only enables the configset-provided template rendering when the configset is `trusted` (has been uploaded by an authenticated user).

Apache Solr versión 5.0.0 hasta Apache Solr versión 8.3.1 son vulnerables a una ejecución de código remota por medio de la función VelocityResponseWriter. Se puede proporcionar una plantilla Velocity por medio de plantillas Velocity en un directorio configset "velocity/" o como un parámetro. Un configset definido por el usuario podría contener plantillas renderizables, potencialmente maliciosas. Las plantillas proporcionadas por los parámetros están deshabilitadas por defecto, pero pueden ser habilitadas configurando "params.resource.loader.enabled" definiendo un escritor de respuestas con esa configuración establecida en "true". La definición de un escritor de respuestas requiere acceso a la API de configuración. Solr versión 8.4 eliminó por completo el cargador de recursos params, y solo habilita la renderización de la plantilla proporcionada por el configset cuando el configset es "trusted" (ha sido cargado por parte de un usuario autenticado).

The Apache Solr VelocityResponseWriter plug-in contains an unspecified vulnerability which can allow for remote code execution.

*Credits: N/A

Attack Vector

Network

Attack Complexity

High

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Network

Attack Complexity

High

Authentication

Single

Confidentiality

Partial

Integrity

Partial

Availability

Partial

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2019-10-14 CVE Reserved
2019-11-01 First Exploit
2019-12-30 CVE Published
2021-11-03 Exploited in Wild
2022-05-03 KEV Due Date
2024-08-05 CVE Updated
2024-11-20 EPSS Updated

CWE

CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

CAPEC

References (31)

URL	Tag	Source
https://lists.apache.org/thread.html/r0b7b9d4113e6ec1ae1d3d0898c645f758511107ea44f0f3a1210c5d5%40%3Cissues.lucene.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/r12ab2cb15a34e49b4fecb5b2bdd7e10f3e8b7bf1f4f47fcde34d3a7c%40%3Cissues.lucene.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/r19d23e8640236a3058b4d6c23e5cd663fde182255f5a9d63e0606a66%40%3Cdev.lucene.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/r1d4a247329a8478073163567bbc8c8cb6b49c6bfc2bf58153a857af1%40%3Ccommits.druid.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/r204ba2a9ea750f38d789d2bb429cc0925ad6133deea7cbc3001d96b5%40%3Csolr-user.lucene.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/r25f1bd4545617f5b86dde27b4c30fec73117af65598a30e20209739a%40%3Cissues.lucene.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/r339865b276614661770c909be1dd7e862232e3ef0af98bfd85686b51%40%3Cdev.lucene.apache.org%3E	Issue Tracking
https://lists.apache.org/thread.html/r36e35fd76239a381643555966fb3e72139e018d52d76544fb42f96d8%40%3Cissues.lucene.apache.org%3E	Issue Tracking
https://lists.apache.org/thread.html/r58c58fe51c87bc30ee13bb8b4c83587f023edb349018705208e65b37%40%3Cissues.lucene.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/r5dc200f7337093285bac40e6d5de5ea66597c3da343a0f7553f1bb12%40%3Csolr-user.lucene.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/r79c7e75f90e735fd32c4e3e97340625aab66c09dfe8c4dc0ab768b69%40%3Csolr-user.lucene.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/r7b89b3dcfc1b6c52dd8d610b897ac98408245040c92b484fe97a51a2%40%3Csolr-user.lucene.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/r7f21ab40a9b17b1a703db84ac56773fcabacd4cc1eb5c4700d17c071%40%3Cissues.lucene.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/r8a36e4f92f4449dec517e560e1b55639f31b3aca26c37bbad45e31de%40%3Cissues.lucene.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/r8e7a3c253a695a7667da0b0ec57f9bb0e31f039e62afbc00a1d96f7b%40%3Csolr-user.lucene.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/r9271d030452170ba6160c022757e1b5af8a4c9ccf9e04164dec02e7f%40%3Cissues.lucene.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/r99c3f7ec3a079e2abbd540ecdb55a0e2a0f349ca7084273a12e87aeb%40%3Cissues.lucene.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/ra29fa6ede5184385bf2c63e8ec054990a7d4622bba1d244bee70d82d%40%3Cissues.lucene.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/rafc939fdd753f55707841cd5886fc7fcad4d8d8ba0c72429b3220a9a%40%3Cissues.lucene.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/rb964fe5c4e3fc05f75e8f74bf6b885f456b7a7750c36e9a8045c627a%40%3Cissues.lucene.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/rc400db37710ee79378b6c52de3640493ff538c2beb41cefdbbdf2ab8%40%3Ccommits.submarine.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/rde3dbd8e646dabf8bef1b097e9a13ee0ecbdb8441aaed6092726c98d%40%3Cissues.ambari.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/re8d12db916b5582a23ed144b9c5abd0bea0be1649231aa880f6cbfff%40%3Cissues.lucene.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/rf5230a049d989dbfdd404b4320a265dceeeba459a4d04ec21873bd55%40%3Csolr-user.lucene.apache.org%3E	Mailing List
https://www.oracle.com/security-alerts/cpuoct2020.html	Third Party Advisory

URL	Date	SRC
https://www.exploit-db.com/exploits/47572	2019-11-01
https://www.exploit-db.com/exploits/48338	2020-04-16
http://packetstormsecurity.com/files/157078/Apache-Solr-8.3.0-Velocity-Template-Remote-Code-Execution.html	2024-08-05
https://issues.apache.org/jira/browse/SOLR-13971	2024-08-05
https://lists.apache.org/thread.html/r5074d814d3a8c75df4b20e66bfd268ee0a73ddea7e85070cec3ae78d%40%3Cissues.lucene.apache.org%3E	2024-08-05
https://lists.apache.org/thread.html/rf6d7ffae2b940114324e036b6394beadf27696d051ae0c4a5edf07af%40%3Cissues.lucene.apache.org%3E	2024-08-05

URL	Date	SRC

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Apache Search vendor "Apache"		Solr Search vendor "Apache" for product "Solr"				>= 5.0.0 < 7.7.3 Search vendor "Apache" for product "Solr" and version " >= 5.0.0 < 7.7.3"		-		Affected
Apache Search vendor "Apache"		Solr Search vendor "Apache" for product "Solr"				>= 8.0.0 < 8.4.0 Search vendor "Apache" for product "Solr" and version " >= 8.0.0 < 8.4.0"		-		Affected
Oracle Search vendor "Oracle"		Primavera Unifier Search vendor "Oracle" for product "Primavera Unifier"				>= 17.7 <= 17.12 Search vendor "Oracle" for product "Primavera Unifier" and version " >= 17.7 <= 17.12"		-		Affected
Oracle Search vendor "Oracle"		Primavera Unifier Search vendor "Oracle" for product "Primavera Unifier"				16.1 Search vendor "Oracle" for product "Primavera Unifier" and version "16.1"		-		Affected
Oracle Search vendor "Oracle"		Primavera Unifier Search vendor "Oracle" for product "Primavera Unifier"				16.2 Search vendor "Oracle" for product "Primavera Unifier" and version "16.2"		-		Affected
Oracle Search vendor "Oracle"		Primavera Unifier Search vendor "Oracle" for product "Primavera Unifier"				18.8 Search vendor "Oracle" for product "Primavera Unifier" and version "18.8"		-		Affected
Oracle Search vendor "Oracle"		Primavera Unifier Search vendor "Oracle" for product "Primavera Unifier"				19.12 Search vendor "Oracle" for product "Primavera Unifier" and version "19.12"		-		Affected