XXE attack in Apache Solr - CVE-2018-8010
Published: May 24, 2018 / Updated: May 24, 2018
Vulnerability identifier: #VU13012
CSH Severity: Low
CVSS v4.0:
CVE-ID: CVE-2018-8010
CWE-ID: CWE-611
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Apache Foundation
Affected software:
Apache Solr
Apache Solr
Detailed vulnerability description
The vulnerability allows a remote attacker to conduct XXE attack and obtain potentially sensitive information.
The vulnerability exists in Xinclude functionality due to improper restriction of XML External Entity (XXE) references in solrconfig.xml, schema.xml, and managed-schema Solr configuration files. A remote attacker can send a file, FTP, or HTTP request that submits malicious input and read sensitive, local files from the system, which could be used to conduct further attacks.
How to mitigate CVE-2018-8010
Update to version 6.6.4 or 7.3.1.