Homepage

XML External Entity (XXE) Injection Affecting lucene-solr package, versions <3.6.2+dfsg-12

Severity

 Recommended
0.0
high
0
10

Snyk's Security Team recommends NVD's CVSS assessment. Learn more

Threat Intelligence

EPSS
0.87% (83rd percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk Learn

Learn about XML External Entity (XXE) Injection vulnerabilities in an interactive lesson.

Start learning
  • Snyk IDSNYK-DEBIANUNSTABLE-LUCENESOLR-330404
  • published9 Apr 2018
  • disclosed9 Apr 2018
Report a new vulnerability Found a mistake?

Introduced: 9 Apr 2018

CVE-2018-1308  (opens in a new tab)
CWE-611  (opens in a new tab)

How to fix?

Upgrade Debian:unstable lucene-solr to version 3.6.2+dfsg-12 or higher.

NVD Description

Note: Versions mentioned in the description apply only to the upstream lucene-solr package and not the lucene-solr package as distributed by Debian. See How to fix? for Debian:unstable relevant fixed versions and status.

This vulnerability in Apache Solr 1.2 to 6.6.2 and 7.0.0 to 7.2.1 relates to an XML external entity expansion (XXE) in the &amp;dataConfig=&lt;inlinexml&gt; parameter of Solr's DataImportHandler. It can be used as XXE using file/ftp/http protocols in order to read arbitrary local files from the Solr server or the internal network.