org.apache.solr:solr-dataimporthandler@4.5.0 vulnerabilities

Direct Vulnerabilities

Known vulnerabilities in the org.apache.solr:solr-dataimporthandler package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.
Fix for free
Vulnerability Vulnerable Version
  • H
XML External Entity (XXE) Injection

org.apache.solr:solr-dataimporthandler is a Solr DataImportHandler Java Library.

Affected versions of this package are vulnerable to XML External Entity (XXE) Injection. It is possible for an attacker to inject external entities through DataImportHandler's dataConfig parameter which is used for setting the whole DIH configuration when using debug mode of the DIH admin screen.

How to fix XML External Entity (XXE) Injection?

Upgrade org.apache.solr:solr-dataimporthandler to version 8.0.0 or higher.

[,8.0.0)
  • H
XML External Entity (XXE) Injection

org.apache.solr:solr-dataimporthandler is a full featured text search engine library written in Java.

Affected versions of this package are vulnerable to XML External Entity (XXE) Injection in the &dataConfig=<inlinexml> parameter of Solr's DataImportHandler. It can be used as XXE using file/ftp/http protocols in order to read arbitrary local files from the Solr server or the internal network.

How to fix XML External Entity (XXE) Injection?

Upgrade org.apache.solr:solr-dataimporthandler to version 6.6.3, 7.3.0 or higher.

[,6.6.3) [7.0.0,7.3.0)