org.apache.solr:solr-dataimporthandler 4.0.0-ALPHA vulnerabilities

Direct Vulnerabilities

Known vulnerabilities in the org.apache.solr:solr-dataimporthandler package. This does not include vulnerabilities belonging to this package’s dependencies.

How to fix?

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

Fix for free

Vulnerability	Vulnerable Version
H XML External Entity (XXE) Injection org.apache.solr:solr-dataimporthandler is a Solr DataImportHandler Java Library. Affected versions of this package are vulnerable to XML External Entity (XXE) Injection. It is possible for an attacker to inject external entities through DataImportHandler's `dataConfig` parameter which is used for setting the whole DIH configuration when using debug mode of the DIH admin screen. How to fix XML External Entity (XXE) Injection? Upgrade `org.apache.solr:solr-dataimporthandler` to version 8.0.0 or higher.	[,8.0.0)
H XML External Entity (XXE) Injection org.apache.solr:solr-dataimporthandler is a full featured text search engine library written in Java. Affected versions of this package are vulnerable to XML External Entity (XXE) Injection in the `&dataConfig=<inlinexml>` parameter of Solr's `DataImportHandler`. It can be used as XXE using file/ftp/http protocols in order to read arbitrary local files from the Solr server or the internal network. How to fix XML External Entity (XXE) Injection? Upgrade `org.apache.solr:solr-dataimporthandler` to version 6.6.3, 7.3.0 or higher.	[,6.6.3)[7.0.0,7.3.0)

Vulnerability

Vulnerable Version

XML External Entity (XXE) Injection

org.apache.solr:solr-dataimporthandler is a Solr DataImportHandler Java Library.

Affected versions of this package are vulnerable to XML External Entity (XXE) Injection. It is possible for an attacker to inject external entities through DataImportHandler's dataConfig parameter which is used for setting the whole DIH configuration when using debug mode of the DIH admin screen.

How to fix XML External Entity (XXE) Injection?

Upgrade org.apache.solr:solr-dataimporthandler to version 8.0.0 or higher.

[,8.0.0)

XML External Entity (XXE) Injection

org.apache.solr:solr-dataimporthandler is a full featured text search engine library written in Java.

Affected versions of this package are vulnerable to XML External Entity (XXE) Injection in the &dataConfig=<inlinexml> parameter of Solr's DataImportHandler. It can be used as XXE using file/ftp/http protocols in order to read arbitrary local files from the Solr server or the internal network.

How to fix XML External Entity (XXE) Injection?

Upgrade org.apache.solr:solr-dataimporthandler to version 6.6.3, 7.3.0 or higher.

[,6.6.3)[7.0.0,7.3.0)

org.apache.solr:solr-dataimporthandler@4.0.0-ALPHA vulnerabilities

latest version

latest non vulnerable version

first published

latest version published

licenses detected

package registry

Direct Vulnerabilities

How to fix?