CVE-2018-1308
HIGHApache Solr 1.2-6.6.2 and 7.0.0-7.2.1 - XML External Entity Injection via DataImportHandler Inline XML Parameter
Title source: llmDescription
This vulnerability in Apache Solr 1.2 to 6.6.2 and 7.0.0 to 7.2.1 relates to an XML external entity expansion (XXE) in the `&dataConfig=<inlinexml>` parameter of Solr's DataImportHandler. It can be used as XXE using file/ftp/http protocols in order to read arbitrary local files from the Solr server or the internal network.
References (5)
Core 5
Core References
Third Party Advisory vendor-advisory
x_refsource_debian
https://www.debian.org/security/2018/dsa-4194
Third Party Advisory mailing-list
x_refsource_mlist
https://lists.debian.org/debian-lts-announce/2018/04/msg00025.html
Mitigation, Third Party Advisory mailing-list
x_refsource_mlist
https://mail-archives.apache.org/mod_mbox/www-announce/201804.mbox/%3C000001d3cf68%245ac69af0%241053d0d0%24%40apache.org%3E
Issue Tracking, Third Party Advisory x_refsource_confirm
https://issues.apache.org/jira/browse/SOLR-11971
Mailing List mailing-list
x_refsource_mlist
https://lists.apache.org/thread.html/708d94141126eac03011144a971a6411fcac16d9c248d1d535a39451%40%3Csolr-user.lucene.apache.org%3E
Scores
CVSS v3
7.5
EPSS
0.0434
EPSS Percentile
89.1%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Details
CWE
CWE-611
Status
published
Products (5)
apache/solr
1.2 - 6.6.2
debian/debian_linux
7.0
debian/debian_linux
8.0
debian/debian_linux
9.0
org.apache.solr/solr-core
1.2 - 6.6.3Maven
Published
Apr 09, 2018
Tracked Since
Feb 18, 2026