9.8

CVE-2019-0192

EPSS 93.19%
Veröffentlicht 07.03.2019 21:29:00
Zuletzt bearbeitet 21.11.2024 04:16:27
Quelle security@apache.org
Teams Watchlist Login
Unerledigt Login

In Apache Solr versions 5.0.0 to 5.5.5 and 6.0.0 to 6.6.5, the Config API allows to configure the JMX server via an HTTP POST request. By pointing it to a malicious RMI server, an attacker could take advantage of Solr's unsafe deserialization to trigger remote code execution on the Solr side.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 17

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Apache ≫ Solr Version >= 5.0.0 <= 5.5.5

Apache ≫ Solr Version >= 6.0.0 <= 6.6.5

Netapp ≫ Storage Automation Store Version-

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	93.19%	0.998

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	9.8	3.9	5.9	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvd@nist.gov	7.5	10	6.4	AV:N/AC:L/Au:N/C:P/I:P/A:P

CWE-502 Deserialization of Untrusted Data

The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.

https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html

https://www.oracle.com/security-alerts/cpuoct2020.html

https://lists.apache.org/thread.html/bcce5a9c532b386c68dab2f6b3ce8b0cc9b950ec551766e76391caa3%40%3Ccommits.nifi.apache.org%3E

https://lists.apache.org/thread.html/rca37935d661f4689cb4119f1b3b224413b22be161b678e6e6ce0c69b%40%3Ccommits.nifi.apache.org%3E

https://access.redhat.com/errata/RHSA-2019:2413

http://mail-archives.us.apache.org/mod_mbox/www-announce/201903.mbox/%3CCAECwjAV1buZwg%2BMcV9EAQ19MeAWztPVJYD4zGK8kQdADFYij1w%40mail.gmail.com%3E

Vendor Advisory

Mailing List

Mitigation

http://www.securityfocus.com/bid/107318

Third Party Advisory

VDB Entry

https://lists.apache.org/thread.html/42c5682f4acd1d03bd963e4f47ae448d7cff66c16b19142773818892%40%3Cdev.lucene.apache.org%3E

https://lists.apache.org/thread.html/53e4744b14fb7f1810405f8ff5531ab0953a23dd09ce8071ce87e00d%40%3Cdev.lucene.apache.org%3E

https://lists.apache.org/thread.html/b0ace855f569c6b7a0b03ba68566e53b1a1a519abd536bf38978ce4a%40%3Cdev.lucene.apache.org%3E

https://lists.apache.org/thread.html/d0e608c681dfbb16b4da68d99d43fa0ddbd366bb3bcf5bc0d43c56d7%40%3Cdev.lucene.apache.org%3E

https://lists.apache.org/thread.html/ec9c572fb803b26ba0318777977ee6d6a2fb3a2c50d9b4224e541d5d%40%3Cdev.lucene.apache.org%3E

https://lists.apache.org/thread.html/rc400db37710ee79378b6c52de3640493ff538c2beb41cefdbbdf2ab8%40%3Ccommits.submarine.apache.org%3E

https://security.netapp.com/advisory/ntap-20190327-0003/

Third Party Advisory

https://nvd.nist.gov/vuln/detail/CVE-2019-0192

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2019-0192

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2019-0192

EUVD