CVE-2019-17558

NameCVE-2019-17558
DescriptionApache Solr 5.0.0 to Apache Solr 8.3.1 are vulnerable to a Remote Code Execution through the VelocityResponseWriter. A Velocity template can be provided through Velocity templates in a configset `velocity/` directory or as a parameter. A user defined configset could contain renderable, potentially malicious, templates. Parameter provided templates are disabled by default, but can be enabled by setting `params.resource.loader.enabled` by defining a response writer with that setting set to `true`. Defining a response writer requires configuration API access. Solr 8.4 removed the params resource loader entirely, and only enables the configset-provided template rendering when the configset is `trusted` (has been uploaded by an authenticated user).
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
NVD severitymedium

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
lucene-solr (PTS)jessie3.6.2+dfsg-5+deb8u2vulnerable
jessie (security)3.6.2+dfsg-5+deb8u3vulnerable
stretch (security), stretch3.6.2+dfsg-10+deb9u2vulnerable
buster3.6.2+dfsg-20+deb10u1vulnerable
bullseye, sid3.6.2+dfsg-22vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
lucene-solrsource(unstable)(unfixed)unimportant

Notes

https://www.openwall.com/lists/oss-security/2019/12/30/1
https://issues.apache.org/jira/browse/SOLR-13971
https://issues.apache.org/jira/browse/SOLR-14025
check, whilst the advisory claims 5.0.0 upwards only the SolrParamResourceLoader might be of issue already earlier?

Search for package or bug name: Reporting problems