Skip to content

XML Injection in Apache Solr

Moderate severity GitHub Reviewed Published May 17, 2022 to the GitHub Advisory Database • Updated Mar 5, 2024

Package

maven org.apache.solr:solr-core (Maven)

Affected versions

< 4.3.1

Patched versions

4.3.1

Description

The DocumentAnalysisRequestHandler in Apache Solr before 4.3.1 does not properly use the EmptyEntityResolver, which allows remote attackers to have an unspecified impact via XML data containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-6407.

References

Published by the National Vulnerability Database Dec 7, 2013
Published to the GitHub Advisory Database May 17, 2022
Reviewed Jul 7, 2022
Last updated Mar 5, 2024

Severity

Moderate

EPSS score

0.335%
(72nd percentile)

Weaknesses

CVE ID

CVE-2013-6408

GHSA ID

GHSA-45w3-2hvv-pfxq

Source code

Credits

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.