9.8

CVE-2019-0192

EPSS 93.19%
Published 07.03.2019 21:29:00
Last modified 21.11.2024 04:16:27
Source security@apache.org
Teams watchlist Login
Open Login

In Apache Solr versions 5.0.0 to 5.5.5 and 6.0.0 to 6.6.5, the Config API allows to configure the JMX server via an HTTP POST request. By pointing it to a malicious RMI server, an attacker could take advantage of Solr's unsafe deserialization to trigger remote code execution on the Solr side.

Affected products Warnungen 0 Metrics 3 CWE 1 References 17

Data is provided by the National Vulnerability Database (NVD)

Apache ≫ Solr Version >= 5.0.0 <= 5.5.5

Apache ≫ Solr Version >= 6.0.0 <= 6.6.5

Netapp ≫ Storage Automation Store Version-

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	93.19%	0.998

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	9.8	3.9	5.9	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvd@nist.gov	7.5	10	6.4	AV:N/AC:L/Au:N/C:P/I:P/A:P

CWE-502 Deserialization of Untrusted Data

The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.

https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html

https://www.oracle.com/security-alerts/cpuoct2020.html

https://lists.apache.org/thread.html/bcce5a9c532b386c68dab2f6b3ce8b0cc9b950ec551766e76391caa3%40%3Ccommits.nifi.apache.org%3E

https://lists.apache.org/thread.html/rca37935d661f4689cb4119f1b3b224413b22be161b678e6e6ce0c69b%40%3Ccommits.nifi.apache.org%3E

https://access.redhat.com/errata/RHSA-2019:2413

http://mail-archives.us.apache.org/mod_mbox/www-announce/201903.mbox/%3CCAECwjAV1buZwg%2BMcV9EAQ19MeAWztPVJYD4zGK8kQdADFYij1w%40mail.gmail.com%3E

Vendor Advisory

Mailing List

Mitigation

http://www.securityfocus.com/bid/107318

Third Party Advisory

VDB Entry

https://lists.apache.org/thread.html/42c5682f4acd1d03bd963e4f47ae448d7cff66c16b19142773818892%40%3Cdev.lucene.apache.org%3E

https://lists.apache.org/thread.html/53e4744b14fb7f1810405f8ff5531ab0953a23dd09ce8071ce87e00d%40%3Cdev.lucene.apache.org%3E

https://lists.apache.org/thread.html/b0ace855f569c6b7a0b03ba68566e53b1a1a519abd536bf38978ce4a%40%3Cdev.lucene.apache.org%3E

https://lists.apache.org/thread.html/d0e608c681dfbb16b4da68d99d43fa0ddbd366bb3bcf5bc0d43c56d7%40%3Cdev.lucene.apache.org%3E

https://lists.apache.org/thread.html/ec9c572fb803b26ba0318777977ee6d6a2fb3a2c50d9b4224e541d5d%40%3Cdev.lucene.apache.org%3E

https://lists.apache.org/thread.html/rc400db37710ee79378b6c52de3640493ff538c2beb41cefdbbdf2ab8%40%3Ccommits.submarine.apache.org%3E

https://security.netapp.com/advisory/ntap-20190327-0003/

Third Party Advisory

https://nvd.nist.gov/vuln/detail/CVE-2019-0192

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2019-0192

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2019-0192

EUVD