CyberSec.Space Logo
Back to CVE Browser

CVE-2019-17558

Known Exploited (CISA KEV)HIGH
7.5
CVSS Severity Score
EPSS Score83.3380%
EPSS Percentile93.15th
PublishedDec 30, 2019
Last ModifiedOct 27, 2025

Vulnerability Description

Apache Solr 5.0.0 to Apache Solr 8.3.1 are vulnerable to a Remote Code Execution through the VelocityResponseWriter. A Velocity template can be provided through Velocity templates in a configset `velocity/` directory or as a parameter. A user defined configset could contain renderable, potentially malicious, templates. Parameter provided templates are disabled by default, but can be enabled by setting `params.resource.loader.enabled` by defining a response writer with that setting set to `true`. Defining a response writer requires configuration API access. Solr 8.4 removed the params resource loader entirely, and only enables the configset-provided template rendering when the configset is `trusted` (has been uploaded by an authenticated user).

Affected Platforms (CPE)

πŸ“¦
Apache

Solr

>= 5.0.0 and < 7.7.3
πŸ“¦
Apache

Solr

>= 8.0.0 and < 8.4.0
πŸ“¦
Oracle

Primavera Unifier

>= 17.7 and <= 17.12
πŸ“¦
Oracle

Primavera Unifier

= 16.1
πŸ“¦
Oracle

Primavera Unifier

= 16.2
πŸ“¦
Oracle

Primavera Unifier

= 18.8
πŸ“¦
Oracle

Primavera Unifier

= 19.12

References & Advisories

πŸ”— http://packetstormsecurity.com/files/157078/Apache-Solr-8.3.0-Velocity-Template-Remote-Code-Execution.html
πŸ”— https://issues.apache.org/jira/browse/SOLR-13971
πŸ”— https://lists.apache.org/thread.html/r0b7b9d4113e6ec1ae1d3d0898c645f758511107ea44f0f3a1210c5d5%40%3Cissues.lucene.apache.org%3E
πŸ”— https://lists.apache.org/thread.html/r12ab2cb15a34e49b4fecb5b2bdd7e10f3e8b7bf1f4f47fcde34d3a7c%40%3Cissues.lucene.apache.org%3E
πŸ”— https://lists.apache.org/thread.html/r19d23e8640236a3058b4d6c23e5cd663fde182255f5a9d63e0606a66%40%3Cdev.lucene.apache.org%3E
πŸ”— https://lists.apache.org/thread.html/r1d4a247329a8478073163567bbc8c8cb6b49c6bfc2bf58153a857af1%40%3Ccommits.druid.apache.org%3E
πŸ”— https://lists.apache.org/thread.html/r204ba2a9ea750f38d789d2bb429cc0925ad6133deea7cbc3001d96b5%40%3Csolr-user.lucene.apache.org%3E
πŸ”— https://lists.apache.org/thread.html/r25f1bd4545617f5b86dde27b4c30fec73117af65598a30e20209739a%40%3Cissues.lucene.apache.org%3E

Related Vulnerabilities

CVE-2013-628810.0

Unspecified vulnerability in the Apache Solr for TYPO3 (solr) extension before 2.8.3 for TYPO3 has unknown impact and remote attac...

CVE-2019-01929.8

In Apache Solr versions 5.0.0 to 5.5.5 and 6.0.0 to 6.6.5, the Config API allows to configure the JMX server via an HTTP POST requ...

CVE-2019-142229.8

An issue was discovered in Alfresco Community Edition versions 6.0 and lower. An unauthenticated, remote attacker could authentica...

CVE-2019-124099.8

The 8.1.1 and 8.2.0 releases of Apache Solr contain an insecure setting for the ENABLE_REMOTE_JMX_OPTS configuration option in the...