XML External Entity Vulnerability in Apache Solr by Apache
CVE-2018-8010

5.5MEDIUM

Key Information:

Vendor
Apache
Status
Apache Solr
Vendor
CVE Published:
21 May 2018

Summary

The vulnerability in Apache Solr relates to improper handling of XML external entities, enabling attackers to read arbitrary files from the server. This issue affects Solr configuration files (solrconfig.xml, schema.xml, managed-schema) and utilizes XInclude functionality, allowing malicious users to exploit file, FTP, or HTTP protocols. To mitigate the risk, it is recommended to update to releases 6.6.4 or 7.3.1, which restrict access to local files and Zookeeper resources while denying absolute URLs.

Affected Version(s)

Apache Solr Apache Solr 6.0.0 to 6.6.3, 7.0.0 to 7.3.0

References

https://mail-archives.apache.org/mod_mbox/www-announce/20...
x_refsource_MISC
http://www.securityfocus.com/bid/104239
vdb-entryx_refsource_BID
https://lists.apache.org/thread.html/r204ba2a9ea750f38d78...
mailing-listx_refsource_MLIST

CVSS V3.1

Score:
5.5
Severity:
MEDIUM
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Local
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.