Candidate: CVE-2019-0193
PublicDate: 2019-08-01 14:15:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0193
 https://issues.apache.org/jira/browse/SOLR-13669
Description:
 In Apache Solr, the DataImportHandler, an optional but popular module to
 pull in data from databases and other sources, has a feature in which the
 whole DIH configuration can come from a request's "dataConfig" parameter.
 The debug mode of the DIH admin screen uses this to allow convenient
 debugging / development of a DIH config. Since a DIH config can contain
 scripts, this parameter is a security risk. Starting with version 8.2.0 of
 Solr, use of this parameter requires setting the Java System property
 "enable.dih.dataConfigParam" to true.
Ubuntu-Description:
Notes:
Bugs:
Priority: low
Discovered-by:
Assigned-to:
CVSS:
 nvd: CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H [7.2 HIGH]


Patches_lucene-solr:
upstream_lucene-solr: needs-triage
precise/esm_lucene-solr: DNE
trusty_lucene-solr: ignored (out of standard support)
trusty/esm_lucene-solr: DNE
xenial_lucene-solr: ignored (end of standard support, was needs-triage)
bionic_lucene-solr: needs-triage
disco_lucene-solr: ignored (reached end-of-life)
eoan_lucene-solr: ignored (reached end-of-life)
focal_lucene-solr: not-affected (3.6.2+dfsg-22)
groovy_lucene-solr: not-affected (3.6.2+dfsg-22)
hirsute_lucene-solr: not-affected (3.6.2+dfsg-22)
impish_lucene-solr: not-affected (3.6.2+dfsg-22)
jammy_lucene-solr: not-affected (3.6.2+dfsg-22)
devel_lucene-solr: not-affected (3.6.2+dfsg-22)