CVE-2019-12409

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2019-12409

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2019-12409.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2019-12409

Aliases

GHSA-2289-pqfq-6wx7

Published

2019-11-18T21:15:11.857Z

Modified

2026-04-10T04:15:30.356113Z

Severity

9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

[none]

Details

The 8.1.1 and 8.2.0 releases of Apache Solr contain an insecure setting for the ENABLEREMOTEJMXOPTS configuration option in the default solr.in.sh configuration file shipping with Solr. If you use the default solr.in.sh file from the affected releases, then JMX monitoring will be enabled and exposed on RMIPORT (default=18983), without any authentication. If this port is opened for inbound traffic in your firewall, then anyone with network access to your Solr nodes will be able to access JMX, which may in turn allow them to upload malicious code for execution on the Solr server.

References

Affected packages

Git / github.com/apache/lucene-solr

Affected ranges

Type

GIT

Repo

https://github.com/apache/lucene-solr

Events

Introduced

Last affected

fcbe46c28cef11bc058779afba09521de1b19bef

Introduced

Last affected

31d7ec7bbfdcd2c4cc61d9d35e962165410b65fe

Database specific

{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "last_affected": "8.1.1"
        },
        {
            "introduced": "0"
        },
        {
            "last_affected": "8.2.0"
        }
    ]
}

Affected versions

Other

grafts/lucene-oldest

grafts/lucene-solr-copy

grafts/lucene-solr-oldest-merged

history/branches/lucene-solr/lucene-6997

releases/lucene-solr/8.*

releases/lucene-solr/8.1.0

releases/lucene-solr/8.1.1

releases/lucene-solr/8.2.0

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2019-12409.json"