CVE-2013-6408 – org.apache.solr:solr-core

Package

Manager: maven
Name: org.apache.solr:solr-core
Vulnerable Version: >=0 <4.3.1

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N

EPSS: 0.06719 pctl0.90892

Details

XML Injection in Apache Solr The DocumentAnalysisRequestHandler in Apache Solr before 4.3.1 does not properly use the EmptyEntityResolver, which allows remote attackers to have an unspecified impact via XML data containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-6407.

Metadata

Created: 2022-05-17T04:39:49Z
Modified: 2024-03-05T00:06:44Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-45w3-2hvv-pfxq/GHSA-45w3-2hvv-pfxq.json
CWE IDs: ["CWE-91"]
Alternative ID: GHSA-45w3-2hvv-pfxq
Finding: F083
Auto approve: 1