CVE Vulnerabilities

CVE-2019-17558

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

Published: Dec 30, 2019 | Modified: Nov 07, 2023
CVSS 3.x
7.5
HIGH
Source:
NVD
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
CVSS 2.x
4.6 MEDIUM
AV:N/AC:H/Au:S/C:P/I:P/A:P
RedHat/V2
RedHat/V3
7.5 MODERATE
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Ubuntu
MEDIUM

Apache Solr 5.0.0 to Apache Solr 8.3.1 are vulnerable to a Remote Code Execution through the VelocityResponseWriter. A Velocity template can be provided through Velocity templates in a configset velocity/ directory or as a parameter. A user defined configset could contain renderable, potentially malicious, templates. Parameter provided templates are disabled by default, but can be enabled by setting params.resource.loader.enabled by defining a response writer with that setting set to true. Defining a response writer requires configuration API access. Solr 8.4 removed the params resource loader entirely, and only enables the configset-provided template rendering when the configset is trusted (has been uploaded by an authenticated user).

Weakness

The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.

Affected Software

Name Vendor Start Version End Version
Solr Apache 5.0.0 (including) 8.3.1 (including)
Lucene-solr Ubuntu bionic *
Lucene-solr Ubuntu disco *
Lucene-solr Ubuntu eoan *
Lucene-solr Ubuntu groovy *
Lucene-solr Ubuntu hirsute *
Lucene-solr Ubuntu impish *
Lucene-solr Ubuntu kinetic *
Lucene-solr Ubuntu lunar *
Lucene-solr Ubuntu trusty *
Lucene-solr Ubuntu xenial *

Potential Mitigations

References