CVE-2019-17558

Name of the Vulnerable Software and Affected Versions Apache Solr versions 5.0.0 through 8.3.1

Description The issue is related to insufficient input validation in the VelocityResponseWriter component of Apache Solr, allowing for remote code execution. A Velocity template can be provided through the velocity/ directory in a configset or as a parameter. User-defined configsets may contain potentially malicious templates. Parameter-provided templates are disabled by default but can be enabled by setting params.resource.loader.enabled to true through a response writer definition, which requires configuration API access.

Recommendations For Apache Solr versions 5.0.0 through 8.3.1, consider disabling the VelocityResponseWriter until a patch is available or upgrade to Apache Solr 8.4, which removes the params resource loader and only enables configset-provided template rendering for trusted configsets. As a temporary workaround, restrict access to the configuration API to minimize the risk of exploitation. Avoid using parameter-provided templates in the affected API endpoints until the issue is resolved.