CVE-2019-17558

NameCVE-2019-17558
DescriptionApache Solr 5.0.0 to Apache Solr 8.3.1 are vulnerable to a Remote Code Execution through the VelocityResponseWriter. A Velocity template can be provided through Velocity templates in a configset `velocity/` directory or as a parameter. A user defined configset could contain renderable, potentially malicious, templates. Parameter provided templates are disabled by default, but can be enabled by setting `params.resource.loader.enabled` by defining a response writer with that setting set to `true`. Defining a response writer requires configuration API access. Solr 8.4 removed the params resource loader entirely, and only enables the configset-provided template rendering when the configset is `trusted` (has been uploaded by an authenticated user).
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
lucene-solr (PTS)jessie, jessie (lts)3.6.2+dfsg-5+deb8u3vulnerable
stretch (security), stretch (lts), stretch3.6.2+dfsg-10+deb9u3vulnerable
buster3.6.2+dfsg-20+deb10u2vulnerable
bullseye3.6.2+dfsg-24vulnerable
sid, trixie, bookworm3.6.2+dfsg-26vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
lucene-solrsource(unstable)(unfixed)unimportant

Notes

https://www.openwall.com/lists/oss-security/2019/12/30/1
https://issues.apache.org/jira/browse/SOLR-13971
https://issues.apache.org/jira/browse/SOLR-14025

Search for package or bug name: Reporting problems