CVE-2018-1308

7.5HIGH

Key Information:

Vendor: Apache
Status: Apache Solr
Vendor: CVE Published:; 9 April 2018

Summary

This vulnerability in Apache Solr 1.2 to 6.6.2 and 7.0.0 to 7.2.1 relates to an XML external entity expansion (XXE) in the &dataConfig=<inlinexml> parameter of Solr's DataImportHandler. It can be used as XXE using file/ftp/http protocols in order to read arbitrary local files from the Solr server or the internal network.

Affected Version(s)

Apache Solr 1.2 to 6.6.2

Apache Solr 7.0.0 to 7.2.1

References

https://www.debian.org/security/2018/dsa-4194

vendor-advisoryx_refsource_DEBIAN

https://lists.debian.org/debian-lts-announce/2018/04/msg0...

mailing-listx_refsource_MLIST

https://mail-archives.apache.org/mod_mbox/www-announce/20...

mailing-listx_refsource_MLIST

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Apr 9, 2018
Vulnerability Reserved
Dec 7, 2017

Collectors

NVD DatabaseMitre Database

.