A flaw was found in Apache Solr’s DataImportHandler(DIH). A DIH configuration containing scripts coming from a request’s dataConfig parameter allows an attacker to perform remote code execution.
Edit solrconfig.xml to configure all DataImportHandler usages with an "invariants" section listing the "dataConfig" parameter set to am empty string, or ensure your network settings are configured so that only trusted traffic communicates with Solr, especially to the DataImportHandler (although this is a best practice regardless) (ref: <https://issues.apache.org/jira/browse/SOLR-13669>)