VYPR
← All advisories
High severityCISA KEVNVD Advisory· Published Dec 30, 2019· Updated Oct 21, 2025

CVE-2019-17558

CVE-2019-17558

Description

Apache Solr 5.0.0 to Apache Solr 8.3.1 are vulnerable to a Remote Code Execution through the VelocityResponseWriter. A Velocity template can be provided through Velocity templates in a configset velocity/ directory or as a parameter. A user defined configset could contain renderable, potentially malicious, templates. Parameter provided templates are disabled by default, but can be enabled by setting params.resource.loader.enabled by defining a response writer with that setting set to true. Defining a response writer requires configuration API access. Solr 8.4 removed the params resource loader entirely, and only enables the configset-provided template rendering when the configset is trusted (has been uploaded by an authenticated user).

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
org.apache.solr:solr-coreMaven
>= 5.0.0, < 8.4.08.4.0
org.apache.solr:solr-coreMaven
>= 6.0.0, < 8.4.08.4.0
org.apache.solr:solr-coreMaven
>= 7.0.0, < 8.4.08.4.0
org.apache.solr:solr-coreMaven
>= 8.0.0, < 8.4.08.4.0

Affected products

1
  • Apache/Solrdescription

Patches

2
1a0d2a901dfe

LUCENE-9170: Use HTTPS when downloading wagon-ssh artifacts

https://github.com/apache/lucene-solrMike DrobApr 1, 2020via osv
commit
1 file changed · +7 2
  • lucene/common-build.xml+7 2 modified
    @@ -216,6 +216,7 @@
   <property name="m2.repository.private.key" value="${user.home}/.ssh/id_dsa"/>
   <property name="m2.repository.id" value="local"/>
   <property name="m2.credentials.prompt" value="true"/>
+  <property name="maven.repository.id" value="remote"/>
 
   <property name="tests.workDir" location="${build.dir}/test"/>
   <property name="junit.output.dir" location="${build.dir}/test"/>
@@ -650,9 +651,13 @@
     <attribute name="pom.xml"/>
     <attribute name="jar.file" default="${dist.jar.dir.prefix}-${version}/${dist.jar.dir.suffix}/${final.name}.jar"/>
     <sequential>
-      <artifact:install-provider artifactId="wagon-ssh" version="1.0-beta-7"/>
+      <artifact:install-provider artifactId="wagon-ssh" version="1.0-beta-7">
+        <remoteRepository id="${maven.repository.id}" url="${ivy_bootstrap_url1}" />
+      </artifact:install-provider>
       <parent-poms/>
-      <artifact:pom id="maven.project" file="@{pom.xml}"/>
+      <artifact:pom id="maven.project" file="@{pom.xml}">
+        <remoteRepository id="${maven.repository.id}" url="${ivy_bootstrap_url1}" />
+      </artifact:pom>
       <artifact:deploy file="@{jar.file}">
         <artifact-attachments/>
         <remoteRepository id="${m2.repository.id}" url="${m2.repository.url}">
bc02ab906445

LUCENE-9103: WANDScorer can miss some hits in some rare conditions.

https://github.com/apache/lucene-solrAdrien GrandDec 19, 2019via osv
commit
2 files changed · +32 14
  • lucene/CHANGES.txt+2 0 modified
    @@ -82,6 +82,8 @@ Bug Fixes
 * LUCENE-9055: Fix the detection of lines crossing triangles through edge points.
   (Ignacio Vera)
 
+* LUCENE-9103: Disjunctions can miss some hits in some rare conditions. (Adrien Grand)
+
 Other
 
 * LUCENE-8979: Code Cleanup: Use entryset for map iteration wherever possible. - Part 2 (Koen De Groote)
  • lucene/core/src/java/org/apache/lucene/search/WANDScorer.java+30 14 modified
    @@ -185,6 +185,7 @@ private boolean ensureConsistent() {
     }
 
     assert minCompetitiveScore == 0 || tailMaxScore < minCompetitiveScore;
+    assert doc <= upTo;
 
     return true;
   }
@@ -374,17 +375,34 @@ private void updateMaxScores(int target) throws IOException {
     }
   }
 
+  /**
+   * Update {@code upTo} and maximum scores of sub scorers so that {@code upTo}
+   * is greater than or equal to the next candidate after {@code target}, i.e.
+   * the top of `head`.
+   */
   private void updateMaxScoresIfNecessary(int target) throws IOException {
     assert lead == null;
 
-    if (head.size() == 0) { // no matches in the current block
-      if (upTo != DocIdSetIterator.NO_MORE_DOCS) {
-        updateMaxScores(Math.max(target, upTo + 1));
+    while (upTo < DocIdSetIterator.NO_MORE_DOCS) {
+      if (head.size() == 0) {
+        // All clauses could fit in the tail, which means that the sum of the
+        // maximum scores of sub clauses is less than the minimum competitive score.
+        // Move to the next block until this condition becomes false.
+        target = Math.max(target, upTo + 1);
+        updateMaxScores(target);
+      } else if (head.top().doc > upTo) {
+        // We have a next candidate but it's not in the current block. We need to
+        // move to the next block in order to not miss any potential hits between
+        // `target` and `head.top().doc`.
+        assert head.top().doc >= target;
+        updateMaxScores(target);
+        break;
+      } else {
+        break;
       }
-    } else if (head.top().doc > upTo) { // the next candidate is in a different block
-      assert head.top().doc >= target;
-      updateMaxScores(target);
     }
+
+    assert upTo == DocIdSetIterator.NO_MORE_DOCS || (head.size() > 0 && head.top().doc <= upTo);
   }
 
   /** Set 'doc' to the next potential match, and move all disis of 'head' that
@@ -394,14 +412,12 @@ private void moveToNextCandidate(int target) throws IOException {
     updateMaxScoresIfNecessary(target);
     assert upTo >= target;
 
-    // If the head is empty, it means that the sum of all max scores is not
-    // enough to produce a competitive score. So we jump to the next block.
-    while (head.size() == 0) {
-      if (upTo == DocIdSetIterator.NO_MORE_DOCS) {
-        doc = DocIdSetIterator.NO_MORE_DOCS;
-        return;
-      }
-      updateMaxScores(upTo + 1);
+    // updateMaxScores tries to move forward until a block with matches is found
+    // so if the head is empty it means there are no matches at all anymore
+    if (head.size() == 0) {
+      assert upTo == DocIdSetIterator.NO_MORE_DOCS;
+      doc = DocIdSetIterator.NO_MORE_DOCS;
+      return;
     }
 
     // The top of `head` defines the next potential match

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

60

News mentions

0

No linked articles in our index yet.