Fluid Attacks Database

Description

Improper Limitation of a Pathname to a Restricted Directory in Apache Solr Directory traversal vulnerability in SolrResourceLoader in Apache Solr before 4.6 allows remote attackers to read arbitrary files via a .. (dot dot) or full pathname in the tr parameter to solr/select/, when the response writer (wt parameter) is set to XSLT. NOTE: this can be leveraged using a separate XXE (XML eXternal Entity) vulnerability to allow access to files across restricted network boundaries.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
maven	org.apache.solr:solr-core	>=0 <4.6.0	4.6.0
debian 11	lucene-solr	>=0 <3.6.2+dfsg-2	3.6.2+dfsg-2
debian 14	lucene-solr	>=0 <3.6.2+dfsg-2	3.6.2+dfsg-2
debian 12	lucene-solr	>=0 <3.6.2+dfsg-2	3.6.2+dfsg-2
debian 13	lucene-solr	>=0 <3.6.2+dfsg-2	3.6.2+dfsg-2
maven	org.apache.solr:solr-velocity	>=0 <=4.5.1	4.6.0

Aliases

1. CVE-2013-63972. NVD-2013-63973. OSV-2013-63974. OSV-DEBIAN-2013-63975. GCVE-2013-63976. SECURITY-TRACKER-CVE-2013-63977. BUGZILLA-CVE-2013-6397

References

1. https://github.com/apache/lucene-solr/commit/da34b18cb3092df4972e2b6fa5178d10599239102. https://issues.apache.org/jira/browse/SOLR-48823. https://web.archive.org/web/20170307173358/http://www.securityfocus.com/bid/639354. http://lucene.apache.org/solr/4_6_0/changes/Changes.html5. http://rhn.redhat.com/errata/RHSA-2013-1844.html6. http://rhn.redhat.com/errata/RHSA-2014-0029.html7. http://www.agarri.fr/kom/archives/2013/11/27/compromising_an_unreachable_solr_server_with_cve-2013-6397/index.html8. http://www.openwall.com/lists/oss-security/2013/11/27/19. https://vulncheck.com/cve/CVE-2013-6397

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.