CVE-2013-6408

Apache Solr < 4.3.1 - XML External Entity Injection via DocumentAnalysisRequestHandler

Title source: llm

Description

The DocumentAnalysisRequestHandler in Apache Solr before 4.3.1 does not properly use the EmptyEntityResolver, which allows remote attackers to have an unspecified impact via XML data containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-6407.

References (7)

Core 7

Core References

Patch x_refsource_confirm

http://svn.apache.org/viewvc/lucene/dev/branches/branch_4x/solr/CHANGES.txt?view=markup

Vendor Advisory vendor-advisory x_refsource_redhat

http://rhn.redhat.com/errata/RHSA-2014-0029.html

Vendor Advisory vendor-advisory x_refsource_redhat

http://rhn.redhat.com/errata/RHSA-2013-1844.html

Patch x_refsource_confirm

https://issues.apache.org/jira/browse/SOLR-4881

Vendor Advisory third-party-advisory x_refsource_secunia

http://secunia.com/advisories/55542

Mailing List mailing-list x_refsource_mlist

http://www.openwall.com/lists/oss-security/2013/11/29/2

Third Party Advisory third-party-advisory x_refsource_secunia

http://secunia.com/advisories/59372

Scores

EPSS 0.1139

EPSS Percentile 93.7%

Details

Status published

Products (9)

apache/solr 3.6.0

apache/solr 3.6.1

apache/solr 3.6.2

apache/solr 4.0.0 (3 CPE variants)

apache/solr 4.1.0

apache/solr 4.2.0

apache/solr 4.2.1

apache/solr < 4.3.0

org.apache.solr/solr-core 0 - 4.3.1Maven

Published Dec 07, 2013

Tracked Since Feb 18, 2026