GHSA-xhcq-fv7x-grr2

Source

https://github.com/advisories/GHSA-xhcq-fv7x-grr2

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/03/GHSA-xhcq-fv7x-grr2/GHSA-xhcq-fv7x-grr2.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-xhcq-fv7x-grr2

Aliases

CVE-2019-0192

Published

2019-03-14T15:39:45Z

Modified

2024-02-17T05:34:32.164978Z

Severity

9.8 (Critical) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

Critical severity vulnerability that affects org.apache.solr:solr-core

Details

In Apache Solr versions 5.0.0 to 5.5.5 and 6.0.0 to 6.6.5, the Config API allows to configure the JMX server via an HTTP POST request. By pointing it to a malicious RMI server, an attacker could take advantage of Solr's unsafe deserialization to trigger remote code execution on the Solr side.

Database specific

{
    "nvd_published_at": null,
    "cwe_ids": [
        "CWE-502"
    ],
    "severity": "CRITICAL",
    "github_reviewed": true,
    "github_reviewed_at": "2020-06-16T22:03:29Z"
}

References

Affected packages

Maven / org.apache.solr:solr-core

Package

Name: org.apache.solr:solr-core; View open source insights on deps.dev
Purl: pkg:maven/org.apache.solr/solr-core

Affected ranges

Type: ECOSYSTEM
Events: Introduced

5.0.0

Fixed

7.0.0

Affected versions

5.*

5.0.0

5.1.0

5.2.0

5.2.1

5.3.0

5.3.1

5.3.2

5.4.0

5.4.1

5.5.0

5.5.1

5.5.2

5.5.3

5.5.4

5.5.5

6.*

6.0.0

6.0.1

6.1.0

6.2.0

6.2.1

6.3.0

6.4.0

6.4.1

6.4.2

6.5.0

6.5.1

6.6.0

6.6.1

6.6.2

6.6.3

6.6.4

6.6.5

6.6.6

Database specific

{
    "last_known_affected_version_range": "<= 5.5.5"
}