Main Vulnerability Database SB2018052405

SB2018052405 - Information disclosure in Apache Solr

Published: May 24, 2018

Security Bulletin ID SB2018052405

Severity

Low

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Information disclosure

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 security vulnerability.

1) XXE attack (CVE-ID: CVE-2018-8010)

The vulnerability allows a remote attacker to conduct XXE attack and obtain potentially sensitive information.

The vulnerability exists in Xinclude functionality due to improper restriction of XML External Entity (XXE) references in solrconfig.xml, schema.xml, and managed-schema Solr configuration files. A remote attacker can send a file, FTP, or HTTP request that submits malicious input and read sensitive, local files from the system, which could be used to conduct further attacks.

Remediation

Install update from vendor's website.

References

https://mail-archives.apache.org/mod_mbox/www-announce/201805.mbox/%3C08a801d3f0f9%24df46d300%249dd4...