CVE-2018-8026

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2018-8026

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2018-8026.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2018-8026

Aliases

GHSA-7px3-6f6g-hxcj

Published

2018-07-05T14:29:00Z

Modified

2024-11-21T04:13:07Z

Severity

5.5 (Medium) CVSS_V3 - CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N CVSS Calculator

Summary

[none]

Details

This vulnerability in Apache Solr 6.0.0 to 6.6.4 and 7.0.0 to 7.3.1 relates to an XML external entity expansion (XXE) in Solr config files (currency.xml, enumsConfig.xml referred from schema.xml, TIKA parsecontext config file). In addition, Xinclude functionality provided in these config files is also affected in a similar way. The vulnerability can be used as XXE using file/ftp/http protocols in order to read arbitrary local files from the Solr server or the internal network. The manipulated files can be uploaded as configsets using Solr's API, allowing to exploit that vulnerability.

References

Affected packages

Git / github.com/apache/lucene-solr

Affected ranges

Type: GIT
Repo: https://github.com/apache/lucene-solr
Events: Last affected

073a1feced1d96e0a1336dbe25055aafa2b5488f

Introduced

3ba304b29825a94249c5145b3f5061e87b87d8f8

Last affected

ae0705edb59eaa567fe13ed3a222fdadc7153680