Vulnerability Description
This vulnerability in Apache Solr 1.2 to 6.6.2 and 7.0.0 to 7.2.1 relates to an XML external entity expansion (XXE) in the `&dataConfig=<inlinexml>` parameter of Solr's DataImportHandler. It can be used as XXE using file/ftp/http protocols in order to read arbitrary local files from the Solr server or the internal network.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Apache | Solr | >= 1.2, <= 6.6.2 |
| Debian | Debian Linux | 7.0 |
Related Weaknesses (CWE)
References
- https://issues.apache.org/jira/browse/SOLR-11971Issue TrackingThird Party Advisory
- https://lists.apache.org/thread.html/708d94141126eac03011144a971a6411fcac16d9c24
- https://lists.debian.org/debian-lts-announce/2018/04/msg00025.htmlThird Party Advisory
- https://mail-archives.apache.org/mod_mbox/www-announce/201804.mbox/%3C000001d3cfMitigationThird Party Advisory
- https://www.debian.org/security/2018/dsa-4194Third Party Advisory
- https://issues.apache.org/jira/browse/SOLR-11971Issue TrackingThird Party Advisory
- https://lists.apache.org/thread.html/708d94141126eac03011144a971a6411fcac16d9c24
- https://lists.debian.org/debian-lts-announce/2018/04/msg00025.htmlThird Party Advisory
- https://mail-archives.apache.org/mod_mbox/www-announce/201804.mbox/%3C000001d3cfMitigationThird Party Advisory
- https://www.debian.org/security/2018/dsa-4194Third Party Advisory
FAQ
What is CVE-2018-1308?
CVE-2018-1308 is a vulnerability with a CVSS score of 7.5 (HIGH). This vulnerability in Apache Solr 1.2 to 6.6.2 and 7.0.0 to 7.2.1 relates to an XML external entity expansion (XXE) in the `&dataConfig=<inlinexml>` parameter of Solr's DataImportHandler. It can be us...
How severe is CVE-2018-1308?
CVE-2018-1308 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2018-1308?
Check the references section above for vendor advisories and patch information. Affected products include: Apache Solr, Debian Debian Linux.