Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTNwcGgtMjU5NS1jZ2Zo
There is a XML external entity expansion (XXE) vulnerability in Apache Solr
This vulnerability in Apache Solr 1.2 to 6.6.2 and 7.0.0 to 7.2.1 relates to an XML external entity expansion (XXE) in the &dataConfig=<inlinexml> parameter of Solr's DataImportHandler. It can be used as XXE using file/ftp/http protocols in order to read arbitrary local files from the Solr server or the internal network.
JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTNwcGgtMjU5NS1jZ2Zo
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: about 6 years ago
Updated: 10 months ago
CVSS Score: 7.5
CVSS vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Percentage: 0.00869
EPSS Percentile: 0.82156
Identifiers: GHSA-3pph-2595-cgfh, CVE-2018-1308
References:
- https://nvd.nist.gov/vuln/detail/CVE-2018-1308
- https://github.com/advisories/GHSA-3pph-2595-cgfh
- https://issues.apache.org/jira/browse/SOLR-11971
- https://lists.apache.org/thread.html/708d94141126eac03011144a971a6411fcac16d9c248d1d535a39451@%3Csolr-user.lucene.apache.org%3E
- https://lists.debian.org/debian-lts-announce/2018/04/msg00025.html
- https://mail-archives.apache.org/mod_mbox/www-announce/201804.mbox/%3C000001d3cf68%245ac69af0%241053d0d0%24%40apache.org%3E
- https://www.debian.org/security/2018/dsa-4194
- https://github.com/apache/lucene-solr/commit/3530397f1777332872eac2760f9aa0e2ae1d7450
- https://github.com/apache/lucene-solr/commit/739a7933
- https://github.com/apache/lucene-solr/commit/dd3be31f7062dcb2f3b2d7f0e89df29e197dee63
Blast Radius: 27.7
Affected Packages
maven:org.apache.solr:solr-core
Dependent packages: 377Dependent repositories: 4,902
Downloads:
Affected Version Ranges: >= 7.0.0, < 7.3.0, >= 1.2, < 6.6.3
Fixed in: 7.3.0, 6.6.3
All affected versions: 1.3.0, 1.4.0, 1.4.1, 3.1.0, 3.2.0, 3.3.0, 3.4.0, 3.5.0, 3.6.0, 3.6.1, 3.6.2, 4.0.0, 4.1.0, 4.2.0, 4.2.1, 4.3.0, 4.3.1, 4.4.0, 4.5.0, 4.5.1, 4.6.0, 4.6.1, 4.7.0, 4.7.1, 4.7.2, 4.8.0, 4.8.1, 4.9.0, 4.9.1, 4.10.0, 4.10.1, 4.10.2, 4.10.3, 4.10.4, 5.0.0, 5.1.0, 5.2.0, 5.2.1, 5.3.0, 5.3.1, 5.3.2, 5.4.0, 5.4.1, 5.5.0, 5.5.1, 5.5.2, 5.5.3, 5.5.4, 5.5.5, 6.0.0, 6.0.1, 6.1.0, 6.2.0, 6.2.1, 6.3.0, 6.4.0, 6.4.1, 6.4.2, 6.5.0, 6.5.1, 6.6.0, 6.6.1, 6.6.2, 7.0.0, 7.0.1, 7.1.0, 7.2.0, 7.2.1
All unaffected versions: 6.6.3, 6.6.4, 6.6.5, 6.6.6, 7.3.0, 7.3.1, 7.4.0, 7.5.0, 7.6.0, 7.7.0, 7.7.1, 7.7.2, 7.7.3, 8.0.0, 8.1.0, 8.1.1, 8.2.0, 8.3.0, 8.3.1, 8.4.0, 8.4.1, 8.5.0, 8.5.1, 8.5.2, 8.6.0, 8.6.1, 8.6.2, 8.6.3, 8.7.0, 8.8.0, 8.8.1, 8.8.2, 8.9.0, 8.10.0, 8.10.1, 8.11.0, 8.11.1, 8.11.2, 8.11.3, 8.11.4, 9.0.0, 9.1.0, 9.1.1, 9.2.0, 9.2.1, 9.3.0, 9.4.0, 9.4.1, 9.5.0, 9.6.0, 9.6.1, 9.7.0