{"id":"CVE-2019-0193","details":"In Apache Solr, the DataImportHandler, an optional but popular module to pull in data from databases and other sources, has a feature in which the whole DIH configuration can come from a request's \"dataConfig\" parameter. The debug mode of the DIH admin screen uses this to allow convenient debugging / development of a DIH config. Since a DIH config can contain scripts, this parameter is a security risk. Starting with version 8.2.0 of Solr, use of this parameter requires setting the Java System property \"enable.dih.dataConfigParam\" to true.","aliases":["GHSA-3gm7-v7vw-866c"],"modified":"2026-05-18T05:50:31.944910588Z","published":"2019-08-01T14:15:13.113Z","database_specific":{"unresolved_ranges":[{"cpes":["cpe:2.3:a:apache:solr:*:*:*:*:*:*:*:*"],"vendor_product":"apache:solr","source":"CPE_FIELD","extracted_events":[{"introduced":"8.1.0"},{"fixed":"8.1.2"},{"introduced":"8.1.0"},{"fixed":"8.1.2"}]},{"cpes":["cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*","cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*"],"vendor_product":"debian:debian_linux","source":"CPE_FIELD","extracted_events":[{"last_affected":"8.0"},{"last_affected":"9.0"}]}]},"references":[{"type":"WEB","url":"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2019-0193"},{"type":"ADVISORY","url":"https://issues.apache.org/jira/browse/SOLR-13669"},{"type":"ADVISORY","url":"https://lists.debian.org/debian-lts-announce/2019/10/msg00013.html"},{"type":"ADVISORY","url":"https://lists.debian.org/debian-lts-announce/2020/08/msg00025.html"},{"type":"REPORT","url":"https://lists.apache.org/thread.html/r19d23e8640236a3058b4d6c23e5cd663fde182255f5a9d63e0606a66%40%3Cdev.lucene.apache.org%3E"},{"type":"REPORT","url":"https://lists.apache.org/thread.html/r339865b276614661770c909be1dd7e862232e3ef0af98bfd85686b51%40%3Cdev.lucene.apache.org%3E"},{"type":"REPORT","url":"https://lists.apache.org/thread.html/r95df34bb158375948da82b4dfe9a1b5d528572d586584162f8f5aeef%40%3Cusers.solr.apache.org%3E"},{"type":"FIX","url":"https://lists.apache.org/thread.html/bcce5a9c532b386c68dab2f6b3ce8b0cc9b950ec551766e76391caa3%40%3Ccommits.nifi.apache.org%3E"},{"type":"FIX","url":"https://lists.apache.org/thread.html/rca37935d661f4689cb4119f1b3b224413b22be161b678e6e6ce0c69b%40%3Ccommits.nifi.apache.org%3E"},{"type":"ARTICLE","url":"https://lists.apache.org/thread.html/1addbb49a1fc0947fb32ca663d76d93cfaade35a4848a76d4b4ded9c%40%3Cissues.lucene.apache.org%3E"},{"type":"ARTICLE","url":"https://lists.apache.org/thread.html/42cc4d334ba33905b872a0aa00d6a481391951c8b1450f01b077ce74%40%3Cissues.lucene.apache.org%3E"},{"type":"ARTICLE","url":"https://lists.apache.org/thread.html/55880d48e38ba9e8c41a3b9e41051dbfdef63b86b0cfeb32967edf03%40%3Cissues.lucene.apache.org%3E"},{"type":"ARTICLE","url":"https://lists.apache.org/thread.html/6f2d61bd8732224c5fd3bdd84798f8e01e4542d3ee2f527a52a81b83%40%3Cissues.lucene.apache.org%3E"},{"type":"ARTICLE","url":"https://lists.apache.org/thread.html/7143983363f0ba463475be4a8b775077070a08dbf075449b7beb51ee%40%3Cissues.lucene.apache.org%3E"},{"type":"ARTICLE","url":"https://lists.apache.org/thread.html/9b0e7a7e3e18d0724f511403b364fc082ff56e3134d84cfece1c82fc%40%3Cissues.lucene.apache.org%3E"},{"type":"ARTICLE","url":"https://lists.apache.org/thread.html/a6e3c09dba52b86d3a1273f82425973e1b0623c415d0e4f121d89eab%40%3Cissues.lucene.apache.org%3E"},{"type":"ARTICLE","url":"https://lists.apache.org/thread.html/e85f735fad06a0fb46e74b7e6e9ce7ded20b59637cd9f993310f814d%40%3Cissues.lucene.apache.org%3E"},{"type":"ARTICLE","url":"https://lists.apache.org/thread.html/r140128dc6bb4f4e0b6a39e962c7ca25a8cbc8e48ed766176c931fccc%40%3Cusers.solr.apache.org%3E"},{"type":"ARTICLE","url":"https://lists.apache.org/thread.html/r1d4a247329a8478073163567bbc8c8cb6b49c6bfc2bf58153a857af1%40%3Ccommits.druid.apache.org%3E"},{"type":"ARTICLE","url":"https://lists.apache.org/thread.html/r33aed7ad4ee9833c4190a44e2b106efd2deb19504b85e012175540f6%40%3Cissues.lucene.apache.org%3E"},{"type":"ARTICLE","url":"https://lists.apache.org/thread.html/r3da74965aba2b5f5744b7289ad447306eeb2940c872801819faa9314%40%3Cusers.solr.apache.org%3E"},{"type":"ARTICLE","url":"https://lists.apache.org/thread.html/rb34d820c21f1708c351f9035d6bc7daf80bfb6ef99b34f7af1d2f699%40%3Cissues.lucene.apache.org%3E"},{"type":"ARTICLE","url":"https://lists.apache.org/thread.html/rc400db37710ee79378b6c52de3640493ff538c2beb41cefdbbdf2ab8%40%3Ccommits.submarine.apache.org%3E"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/apache/lucene-solr","events":[{"introduced":"0"},{"fixed":"1a0d2a901dfec93676b0fe8be425101ceb754b85"}],"database_specific":{"source":"CPE_FIELD","cpe":"cpe:2.3:a:apache:solr:*:*:*:*:*:*:*:*","extracted_events":[{"introduced":"0"},{"fixed":"7.7.3"}]}}],"versions":["releases/lucene-solr/7.7.2","releases/lucene-solr/7.7.1","releases/lucene-solr/7.7.0","history/branches/lucene-solr/lucene-6997","grafts/lucene-solr-copy","grafts/lucene-solr-oldest-merged","grafts/lucene-oldest"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2019-0193.json"}},{"ranges":[{"type":"GIT","repo":"https://github.com/apache/solr","events":[{"introduced":"0"},{"fixed":"1a0d2a901dfec93676b0fe8be425101ceb754b85"}],"database_specific":{"source":"CPE_FIELD","cpe":"cpe:2.3:a:apache:solr:*:*:*:*:*:*:*:*","extracted_events":[{"introduced":"0"},{"fixed":"7.7.3"}]}}],"versions":["releases/lucene-solr/7.7.2","releases/lucene-solr/7.7.1","releases/lucene-solr/7.7.0","history/branches/lucene-solr/lucene-6997","grafts/lucene-solr-copy","grafts/lucene-solr-oldest-merged","grafts/lucene-oldest"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2019-0193.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"}]}