Vulnerability in Apache Software Foundation Solr
CVE-2019-0192
In Apache Solr versions 5.0.0 to 5.5.5 and 6.0.0 to 6.6.5, the Config API allows to configure the JMX server via an HTTP POST request. By pointing it to a malicious RMI server, an attacker could take advantage of Solr's unsafe deserializat…
EPSS: 0.935 (99.8th percentile) — read the EPSS interpretation.
Affected products
- Apache Software Foundation Solr — versions Apache Solr 5.0.0 to 5.5.5 and 6.0.0 to 6.6.5
Public proof-of-concept exploits
References
- 107318 (vdb-entry, x_refsource_BID)
- [www-announce] 20190307 CVE-2019-0192 Deserialization of untrusted data via jmx.serviceUrl in Apache Solr (mailing-list, x_refsource_MLIST)
- [lucene-dev] 20190320 [jira] [Commented] (SOLR-13301) [CVE-2019-0192] Deserialization of untrusted data via jmx.serviceUrl (mailing-list, x_refsource_MLIST)
- [lucene-dev] 20190320 [jira] [Issue Comment Deleted] (SOLR-13301) [CVE-2019-0192] Deserialization of untrusted data via jmx.serviceUrl (mailing-list, x_refsource_MLIST)
- [lucene-dev] 20190326 [jira] [Updated] (SOLR-13301) [CVE-2019-0192] Deserialization of untrusted data via jmx.serviceUrl (mailing-list, x_refsource_MLIST)
- [lucene-dev] 20190326 [jira] [Commented] (SOLR-13301) [CVE-2019-0192] Deserialization of untrusted data via jmx.serviceUrl (mailing-list, x_refsource_MLIST)
- [lucene-dev] 20190327 [jira] [Commented] (SOLR-13301) [CVE-2019-0192] Deserialization of untrusted data via jmx.serviceUrl (mailing-list, x_refsource_MLIST)
- RHSA-2019:2413 (vendor-advisory, x_refsource_REDHAT)
- [nifi-commits] 20191113 svn commit: r1869773 - /nifi/site/trunk/security.html (mailing-list, x_refsource_MLIST)
- [nifi-commits] 20200123 svn commit: r1873083 - /nifi/site/trunk/security.html (mailing-list, x_refsource_MLIST)
Frequently asked questions
- What is CVE-2019-0192?
- CVE-2019-0192 is a vulnerability in Apache Software Foundation Solr. Published 2019-03-07.
- Is CVE-2019-0192 known to be exploited?
- 31 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.