Описание
In Apache Solr, the DataImportHandler, an optional but popular module to pull in data from databases and other sources, has a feature in which the whole DIH configuration can come from a request's "dataConfig" parameter. The debug mode of the DIH admin screen uses this to allow convenient debugging / development of a DIH config. Since a DIH config can contain scripts, this parameter is a security risk. Starting with version 8.2.0 of Solr, use of this parameter requires setting the Java System property "enable.dih.dataConfigParam" to true.
| Релиз | Статус | Примечание |
|---|---|---|
| bionic | ignored | end of standard support, was needs-triage |
| devel | not-affected | 3.6.2+dfsg-22 |
| disco | ignored | end of life |
| eoan | ignored | end of life |
| esm-apps/bionic | released | 3.6.2+dfsg-18~18.04.1~esm2 |
| esm-apps/focal | not-affected | 3.6.2+dfsg-22 |
| esm-apps/jammy | not-affected | 3.6.2+dfsg-22 |
| esm-apps/noble | not-affected | 3.6.2+dfsg-22 |
| esm-apps/xenial | released | 3.6.2+dfsg-8ubuntu0.1+esm1 |
| esm-infra-legacy/trusty | released | 3.6.2+dfsg-2ubuntu0.1~esm4 |
Показывать по
EPSS
9 Critical
CVSS2
7.2 High
CVSS3
Связанные уязвимости
In Apache Solr, the DataImportHandler, an optional but popular module to pull in data from databases and other sources, has a feature in which the whole DIH configuration can come from a request's "dataConfig" parameter. The debug mode of the DIH admin screen uses this to allow convenient debugging / development of a DIH config. Since a DIH config can contain scripts, this parameter is a security risk. Starting with version 8.2.0 of Solr, use of this parameter requires setting the Java System property "enable.dih.dataConfigParam" to true.
In Apache Solr, the DataImportHandler, an optional but popular module to pull in data from databases and other sources, has a feature in which the whole DIH configuration can come from a request's "dataConfig" parameter. The debug mode of the DIH admin screen uses this to allow convenient debugging / development of a DIH config. Since a DIH config can contain scripts, this parameter is a security risk. Starting with version 8.2.0 of Solr, use of this parameter requires setting the Java System property "enable.dih.dataConfigParam" to true.
In Apache Solr, the DataImportHandler, an optional but popular module ...
XML External Entity (XXE) Injection in Apache Solr
Уязвимость модуля DataImportHandler поискового сервера Apache Solr, позволяющая нарушителю оказать воздействие на конфиденциальность, целостность и доступность защищаемой информации
EPSS
9 Critical
CVSS2
7.2 High
CVSS3