{"id":"CVE-2019-17558","details":"Apache Solr 5.0.0 to Apache Solr 8.3.1 are vulnerable to a Remote Code Execution through the VelocityResponseWriter. A Velocity template can be provided through Velocity templates in a configset `velocity/` directory or as a parameter. A user defined configset could contain renderable, potentially malicious, templates. Parameter provided templates are disabled by default, but can be enabled by setting `params.resource.loader.enabled` by defining a response writer with that setting set to `true`. Defining a response writer requires configuration API access. Solr 8.4 removed the params resource loader entirely, and only enables the configset-provided template rendering when the configset is `trusted` (has been uploaded by an authenticated user).","aliases":["GHSA-ww97-9w65-2crx"],"modified":"2026-04-02T01:41:45.821215Z","published":"2019-12-30T17:15:19.780Z","references":[{"type":"WEB","url":"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2019-17558"},{"type":"ADVISORY","url":"https://www.oracle.com/security-alerts/cpuoct2020.html"},{"type":"REPORT","url":"https://lists.apache.org/thread.html/r36e35fd76239a381643555966fb3e72139e018d52d76544fb42f96d8%40%3Cissues.lucene.apache.org%3E"},{"type":"REPORT","url":"https://lists.apache.org/thread.html/r339865b276614661770c909be1dd7e862232e3ef0af98bfd85686b51%40%3Cdev.lucene.apache.org%3E"},{"type":"FIX","url":"https://issues.apache.org/jira/browse/SOLR-13971"},{"type":"ARTICLE","url":"https://lists.apache.org/thread.html/rb964fe5c4e3fc05f75e8f74bf6b885f456b7a7750c36e9a8045c627a%40%3Cissues.lucene.apache.org%3E"},{"type":"ARTICLE","url":"https://lists.apache.org/thread.html/re8d12db916b5582a23ed144b9c5abd0bea0be1649231aa880f6cbfff%40%3Cissues.lucene.apache.org%3E"},{"type":"ARTICLE","url":"https://lists.apache.org/thread.html/r9271d030452170ba6160c022757e1b5af8a4c9ccf9e04164dec02e7f%40%3Cissues.lucene.apache.org%3E"},{"type":"ARTICLE","url":"https://lists.apache.org/thread.html/rc400db37710ee79378b6c52de3640493ff538c2beb41cefdbbdf2ab8%40%3Ccommits.submarine.apache.org%3E"},{"type":"ARTICLE","url":"https://lists.apache.org/thread.html/rde3dbd8e646dabf8bef1b097e9a13ee0ecbdb8441aaed6092726c98d%40%3Cissues.ambari.apache.org%3E"},{"type":"ARTICLE","url":"https://lists.apache.org/thread.html/r99c3f7ec3a079e2abbd540ecdb55a0e2a0f349ca7084273a12e87aeb%40%3Cissues.lucene.apache.org%3E"},{"type":"ARTICLE","url":"https://lists.apache.org/thread.html/rf5230a049d989dbfdd404b4320a265dceeeba459a4d04ec21873bd55%40%3Csolr-user.lucene.apache.org%3E"},{"type":"ARTICLE","url":"https://lists.apache.org/thread.html/r204ba2a9ea750f38d789d2bb429cc0925ad6133deea7cbc3001d96b5%40%3Csolr-user.lucene.apache.org%3E"},{"type":"ARTICLE","url":"https://lists.apache.org/thread.html/rafc939fdd753f55707841cd5886fc7fcad4d8d8ba0c72429b3220a9a%40%3Cissues.lucene.apache.org%3E"},{"type":"ARTICLE","url":"https://lists.apache.org/thread.html/r12ab2cb15a34e49b4fecb5b2bdd7e10f3e8b7bf1f4f47fcde34d3a7c%40%3Cissues.lucene.apache.org%3E"},{"type":"ARTICLE","url":"https://lists.apache.org/thread.html/r58c58fe51c87bc30ee13bb8b4c83587f023edb349018705208e65b37%40%3Cissues.lucene.apache.org%3E"},{"type":"ARTICLE","url":"https://lists.apache.org/thread.html/r5dc200f7337093285bac40e6d5de5ea66597c3da343a0f7553f1bb12%40%3Csolr-user.lucene.apache.org%3E"},{"type":"ARTICLE","url":"https://lists.apache.org/thread.html/r25f1bd4545617f5b86dde27b4c30fec73117af65598a30e20209739a%40%3Cissues.lucene.apache.org%3E"},{"type":"ARTICLE","url":"https://lists.apache.org/thread.html/r19d23e8640236a3058b4d6c23e5cd663fde182255f5a9d63e0606a66%40%3Cdev.lucene.apache.org%3E"},{"type":"ARTICLE","url":"https://lists.apache.org/thread.html/r7f21ab40a9b17b1a703db84ac56773fcabacd4cc1eb5c4700d17c071%40%3Cissues.lucene.apache.org%3E"},{"type":"ARTICLE","url":"https://lists.apache.org/thread.html/r8a36e4f92f4449dec517e560e1b55639f31b3aca26c37bbad45e31de%40%3Cissues.lucene.apache.org%3E"},{"type":"ARTICLE","url":"https://lists.apache.org/thread.html/r0b7b9d4113e6ec1ae1d3d0898c645f758511107ea44f0f3a1210c5d5%40%3Cissues.lucene.apache.org%3E"},{"type":"ARTICLE","url":"https://lists.apache.org/thread.html/r79c7e75f90e735fd32c4e3e97340625aab66c09dfe8c4dc0ab768b69%40%3Csolr-user.lucene.apache.org%3E"},{"type":"ARTICLE","url":"https://lists.apache.org/thread.html/r7b89b3dcfc1b6c52dd8d610b897ac98408245040c92b484fe97a51a2%40%3Csolr-user.lucene.apache.org%3E"},{"type":"ARTICLE","url":"https://lists.apache.org/thread.html/ra29fa6ede5184385bf2c63e8ec054990a7d4622bba1d244bee70d82d%40%3Cissues.lucene.apache.org%3E"},{"type":"ARTICLE","url":"https://lists.apache.org/thread.html/r1d4a247329a8478073163567bbc8c8cb6b49c6bfc2bf58153a857af1%40%3Ccommits.druid.apache.org%3E"},{"type":"ARTICLE","url":"https://lists.apache.org/thread.html/r8e7a3c253a695a7667da0b0ec57f9bb0e31f039e62afbc00a1d96f7b%40%3Csolr-user.lucene.apache.org%3E"},{"type":"EVIDENCE","url":"http://packetstormsecurity.com/files/157078/Apache-Solr-8.3.0-Velocity-Template-Remote-Code-Execution.html"},{"type":"EVIDENCE","url":"https://lists.apache.org/thread.html/rf6d7ffae2b940114324e036b6394beadf27696d051ae0c4a5edf07af%40%3Cissues.lucene.apache.org%3E"},{"type":"EVIDENCE","url":"https://lists.apache.org/thread.html/r5074d814d3a8c75df4b20e66bfd268ee0a73ddea7e85070cec3ae78d%40%3Cissues.lucene.apache.org%3E"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/apache/lucene-solr","events":[{"introduced":"859fdefbceb3ffe088e5091fd695380e81a49c11"},{"fixed":"1a0d2a901dfec93676b0fe8be425101ceb754b85"},{"introduced":"2ae4746365c1ee72a0047ced7610b2096e438979"},{"fixed":"bc02ab906445fcf4e297f4ef00ab4a54fdd72ca2"}],"database_specific":{"versions":[{"introduced":"5.0.0"},{"fixed":"7.7.3"},{"introduced":"8.0.0"},{"fixed":"8.4.0"}]}}],"versions":["releases/lucene-solr/5.0.0","releases/lucene-solr/8.0.0"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2019-17558.json","unresolved_ranges":[{"events":[{"introduced":"17.7"},{"last_affected":"17.12"}]},{"events":[{"introduced":"0"},{"last_affected":"16.1"}]},{"events":[{"introduced":"0"},{"last_affected":"16.2"}]},{"events":[{"introduced":"0"},{"last_affected":"18.8"}]},{"events":[{"introduced":"0"},{"last_affected":"19.12"}]}],"vanir_signatures":[{"signature_version":"v1","target":{"file":"lucene/core/src/java/org/apache/lucene/search/WANDScorer.java","function":"updateMaxScoresIfNecessary"},"source":"https://github.com/apache/lucene-solr/commit/bc02ab906445fcf4e297f4ef00ab4a54fdd72ca2","signature_type":"Function","id":"CVE-2019-17558-039dc237","digest":{"function_hash":"322242177661752511937924035288649921527","length":328},"deprecated":false},{"signature_version":"v1","target":{"file":"lucene/core/src/java/org/apache/lucene/search/WANDScorer.java","function":"moveToNextCandidate"},"source":"https://github.com/apache/lucene-solr/commit/bc02ab906445fcf4e297f4ef00ab4a54fdd72ca2","signature_type":"Function","id":"CVE-2019-17558-102dd728","digest":{"function_hash":"244474418792315512363679098986362738814","length":471},"deprecated":false},{"signature_version":"v1","target":{"file":"lucene/core/src/java/org/apache/lucene/search/WANDScorer.java"},"source":"https://github.com/apache/lucene-solr/commit/bc02ab906445fcf4e297f4ef00ab4a54fdd72ca2","signature_type":"Line","id":"CVE-2019-17558-4f521a55","digest":{"threshold":0.9,"line_hashes":["10976882414751950059638941419805426406","260795584727661223934841198029275441205","216415124429699038245315793260080470919","113103799677471152268327625975095285324","310702034111532898610091903369918583712","129694276526351264338253314871698247299","232290896416728705449528819231863431097","89102533218185564099916814835993664349","88606249965852866247906205929793664521","273521214631987130644931925530095859403","224933079362674767285091952969036625369","152900188039338513821490365627883143598","271725351231511105376536441707262420576","64775850617713722400768704247069873496","244340295914217652509684822062533932710","65166252091635503247965469955768007773","226398673730486759669544059628531448018","39124477276929361676344463950216212223","2951874098677077266422638812207411270","324638678557101068722981678526310048922","124904179403201680304427297224929936643","113587944783476531418173577044953778640","243295425330906427916905801286067497753","317625615714492643056792171813033081785","173936996566032374848684447259902239194","256534710829691687571498261740940689786"]},"deprecated":false},{"signature_version":"v1","target":{"file":"lucene/core/src/java/org/apache/lucene/search/WANDScorer.java","function":"ensureConsistent"},"source":"https://github.com/apache/lucene-solr/commit/bc02ab906445fcf4e297f4ef00ab4a54fdd72ca2","signature_type":"Function","id":"CVE-2019-17558-5372ac40","digest":{"function_hash":"173751753590951628048193649735113508834","length":581},"deprecated":false}]}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H"}]}