GHSA-3gm7-v7vw-866c

Suggest an improvement
Source
https://github.com/advisories/GHSA-3gm7-v7vw-866c
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/08/GHSA-3gm7-v7vw-866c/GHSA-3gm7-v7vw-866c.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-3gm7-v7vw-866c
Aliases
Published
2019-08-01T19:17:35Z
Modified
2024-03-14T05:19:04.400996Z
Severity
  • 7.2 (High) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
XML External Entity (XXE) Injection in Apache Solr
Details

In Apache Solr, the DataImportHandler, an optional but popular module to pull in data from databases and other sources, has a feature in which the whole DIH configuration can come from a request's "dataConfig" parameter. The debug mode of the DIH admin screen uses this to allow convenient debugging / development of a DIH config. Since a DIH config can contain scripts, this parameter is a security risk. Starting with version 8.2.0 of Solr, use of this parameter requires setting the Java System property "enable.dih.dataConfigParam" to true.

References

Affected packages

Maven / org.apache.solr:solr-core

Package

Name
org.apache.solr:solr-core
View open source insights on deps.dev
Purl
pkg:maven/org.apache.solr/solr-core

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
8.2.0

Affected versions

1.*

1.3.0
1.4.0
1.4.1

3.*

3.1.0
3.2.0
3.3.0
3.4.0
3.5.0
3.6.0
3.6.1
3.6.2

4.*

4.0.0-ALPHA
4.0.0-BETA
4.0.0
4.1.0
4.2.0
4.2.1
4.3.0
4.3.1
4.4.0
4.5.0
4.5.1
4.6.0
4.6.1
4.7.0
4.7.1
4.7.2
4.8.0
4.8.1
4.9.0
4.9.1
4.10.0
4.10.1
4.10.2
4.10.3
4.10.4

5.*

5.0.0
5.1.0
5.2.0
5.2.1
5.3.0
5.3.1
5.3.2
5.4.0
5.4.1
5.5.0
5.5.1
5.5.2
5.5.3
5.5.4
5.5.5

6.*

6.0.0
6.0.1
6.1.0
6.2.0
6.2.1
6.3.0
6.4.0
6.4.1
6.4.2
6.5.0
6.5.1
6.6.0
6.6.1
6.6.2
6.6.3
6.6.4
6.6.5
6.6.6

7.*

7.0.0
7.0.1
7.1.0
7.2.0
7.2.1
7.3.0
7.3.1
7.4.0
7.5.0
7.6.0
7.7.0
7.7.1
7.7.2
7.7.3

8.*

8.0.0
8.1.0
8.1.1