Apache Solr DataImportHandler dataConfig Parameter Security Vulnerability

Apache Solr DataImportHandler dataConfig Parameter Security Vulnerability

CVE-2019-0193 · HIGH Severity

AV:N/AC:L/AU:S/C:C/I:C/A:C

In Apache Solr, the DataImportHandler, an optional but popular module to pull in data from databases and other sources, has a feature in which the whole DIH configuration can come from a request's "dataConfig" parameter. The debug mode of the DIH admin screen uses this to allow convenient debugging / development of a DIH config. Since a DIH config can contain scripts, this parameter is a security risk. Starting with version 8.2.0 of Solr, use of this parameter requires setting the Java System property "enable.dih.dataConfigParam" to true.

Learn more about our Cis Benchmark Audit For Apache Http Server.