GHSA-7px3-6f6g-hxcj

Suggest an improvement
Source
https://github.com/advisories/GHSA-7px3-6f6g-hxcj
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-7px3-6f6g-hxcj/GHSA-7px3-6f6g-hxcj.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-7px3-6f6g-hxcj
Aliases
Published
2018-10-17T19:55:34Z
Modified
2024-03-04T23:47:14.641438Z
Severity
  • 5.5 (Medium) CVSS_V3 - CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
Summary
XML external entity expansion in org.apache.solr:solr-core
Details

This vulnerability in Apache Solr 6.0.0 to 6.6.4 and 7.0.0 to 7.3.1 relates to an XML external entity expansion (XXE) in Solr config files (currency.xml, enumsConfig.xml referred from schema.xml, TIKA parsecontext config file). In addition, Xinclude functionality provided in these config files is also affected in a similar way. The vulnerability can be used as XXE using file/ftp/http protocols in order to read arbitrary local files from the Solr server or the internal network. The manipulated files can be uploaded as configsets using Solr's API, allowing to exploit that vulnerability.

Database specific 
{
    "nvd_published_at": null,
    "cwe_ids": [
        "CWE-611"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2020-06-16T21:23:12Z"
}
References

Affected packages

Maven / org.apache.solr:solr-core

Package

Name
org.apache.solr:solr-core
View open source insights on deps.dev
Purl
pkg:maven/org.apache.solr/solr-core

Affected ranges

Type
ECOSYSTEM
Events
Introduced
7.0.0
Fixed
7.4.0

Affected versions

7.*

7.0.0
7.0.1
7.1.0
7.2.0
7.2.1
7.3.0
7.3.1

Maven / org.apache.solr:solr-core

Package

Name
org.apache.solr:solr-core
View open source insights on deps.dev
Purl
pkg:maven/org.apache.solr/solr-core

Affected ranges

Type
ECOSYSTEM
Events
Introduced
6.0.0
Fixed
6.6.5

Affected versions

6.*

6.0.0
6.0.1
6.1.0
6.2.0
6.2.1
6.3.0
6.4.0
6.4.1
6.4.2
6.5.0
6.5.1
6.6.0
6.6.1
6.6.2
6.6.3
6.6.4