CVE-2013-6397
published 2013-12-07CVE-2013-6397: Directory traversal vulnerability in SolrResourceLoader in Apache Solr before 4.6 allows remote attackers to read arbitrary files via a .. (dot dot) or full…
PriorityP178medium4.3CVSS 2.0
AVNACMAuNCPINAN
ITWVulnCheck KEV
Exploited in the wild
EPSS
56.26%
98.9th percentile
Directory traversal vulnerability in SolrResourceLoader in Apache Solr before 4.6 allows remote attackers to read arbitrary files via a .. (dot dot) or full pathname in the tr parameter to solr/select/, when the response writer (wt parameter) is set to XSLT. NOTE: this can be leveraged using a separate XXE (XML eXternal Entity) vulnerability to allow access to files across restricted network boundaries.
Affected
10 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| apache | solr | <= 4.5.1 | — |
| apache | solr | — | — |
| apache | solr | — | — |
| apache | solr | — | — |
| apache | solr | — | — |
| apache | solr | — | — |
| apache | solr | — | — |
| apache | solr | — | — |
| apache | solr | — | — |
| debian | lucene-solr | < lucene-solr 3.6.2+dfsg-2 (bookworm) | lucene-solr 3.6.2+dfsg-2 (bookworm) |
Detection & IOCsextracted from sources · hover to see the quote
snort
alert http any any -> $HOME_NET any (msg:"ET INFO Apache Solr System Information Request"; flow:established,to_server; http.uri; content:"/solr/admin/info/system"; reference:url,www.exploit-db.com/exploits/47572; reference:url,web.archive.org/web/20190718141548/https://www.agarri.fr/blog/archives/2013/11/27/compromising_an_unreachable_solr_server_with_cve-2013-6397/index.html; classtype:misc-activity; sid:2031504; rev:4; metadata:affected_product Apache_Solr, attack_target Web_Server, created_at 2021_01_08, deployment Perimeter, confidence High, signature_severity Informational, updated_at 2026_01_20;)
- →Monitor HTTP requests to /solr/select/ where the 'tr' parameter contains directory traversal sequences (e.g., '../') or absolute paths, combined with 'wt=xslt' in the query string. ↗
- →The vulnerability can be chained with a separate XXE vulnerability to reach files across restricted network boundaries — look for XXE payloads in Solr XML responses or requests alongside XSLT traversal attempts. ↗
- →Solr REST endpoints that load XSL stylesheets or Velocity templates via SolrResourceLoader are the attack surface; monitor for unexpected or absolute path values in REST parameters feeding these components. ↗
- →Reconnaissance activity against /solr/admin/info/system is associated with CVE-2013-6397 exploitation chains; alert on inbound HTTP requests to this URI (ET SID 2031504).
- ·The vulnerability affects Apache Solr versions before 4.6; ensure the deployed version is 4.6 or later (or the patched 3.6.x Debian package 3.6.2+dfsg-2) to confirm the fix is in place. ↗
- ·The SolrResourceLoader allowed loading of resources via absolute paths, or relative paths not sanitized for directory traversal — verify that path sanitization is enforced in the deployed configuration. ↗
CVSS provenance
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:P/I:N/A:N
osv4.3MEDIUM
vulncheck4.3MEDIUM
vendor_debian4.3MEDIUM
vendor_redhat4.3MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Improper Limitation of a Pathname to a Restricted Directory in Apache Solr
ghsa·2022-05-17
CVE-2013-6397 [MEDIUM] CWE-22 Improper Limitation of a Pathname to a Restricted Directory in Apache Solr
Improper Limitation of a Pathname to a Restricted Directory in Apache Solr
Directory traversal vulnerability in SolrResourceLoader in Apache Solr before 4.6 allows remote attackers to read arbitrary files via a .. (dot dot) or full pathname in the tr parameter to solr/select/, when the response writer (wt parameter) is set to XSLT. NOTE: this can be leveraged using a separate XXE (XML eXternal Entity) vulnerability to allow access to files across restricted network boundaries.
OSV
Improper Limitation of a Pathname to a Restricted Directory in Apache Solr
osv·2022-05-17
CVE-2013-6397 [MEDIUM] Improper Limitation of a Pathname to a Restricted Directory in Apache Solr
Improper Limitation of a Pathname to a Restricted Directory in Apache Solr
Directory traversal vulnerability in SolrResourceLoader in Apache Solr before 4.6 allows remote attackers to read arbitrary files via a .. (dot dot) or full pathname in the tr parameter to solr/select/, when the response writer (wt parameter) is set to XSLT. NOTE: this can be leveraged using a separate XXE (XML eXternal Entity) vulnerability to allow access to files across restricted network boundaries.
OSV
CVE-2013-6397: Directory traversal vulnerability in SolrResourceLoader in Apache Solr before 4
osv·2013-12-07·CVSS 4.3
CVE-2013-6397 [MEDIUM] CVE-2013-6397: Directory traversal vulnerability in SolrResourceLoader in Apache Solr before 4
Directory traversal vulnerability in SolrResourceLoader in Apache Solr before 4.6 allows remote attackers to read arbitrary files via a .. (dot dot) or full pathname in the tr parameter to solr/select/, when the response writer (wt parameter) is set to XSLT. NOTE: this can be leveraged using a separate XXE (XML eXternal Entity) vulnerability to allow access to files across restricted network boundaries.
VulnCheck
Apache Solr Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
vulncheck·2013·CVSS 4.3
CVE-2013-6397 [MEDIUM] Apache Solr Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Apache Solr Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Directory traversal vulnerability in SolrResourceLoader in Apache Solr before 4.6 allows remote attackers to read arbitrary files via a .. (dot dot) or full pathname in the tr parameter to solr/select/, when the response writer (wt parameter) is set to XSLT. NOTE: this can be leveraged using a separate XXE (XML eXternal Entity) vulnerability to allow access to files across restricted network boundaries.
Affected: Apache Solr
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://www.f5.com/labs/articles/threat-intelligence/sensor-intel-series-top-cves-august-2024;
Red Hat
Solr: directory traversal when loading XSL stylesheets and Velocity templates
vendor_redhat·2013-11-26·CVSS 4.3
CVE-2013-6397 [MEDIUM] CWE-22 Solr: directory traversal when loading XSL stylesheets and Velocity templates
Solr: directory traversal when loading XSL stylesheets and Velocity templates
Directory traversal vulnerability in SolrResourceLoader in Apache Solr before 4.6 allows remote attackers to read arbitrary files via a .. (dot dot) or full pathname in the tr parameter to solr/select/, when the response writer (wt parameter) is set to XSLT. NOTE: this can be leveraged using a separate XXE (XML eXternal Entity) vulnerability to allow access to files across restricted network boundaries.
Package: solr (Red Hat JBoss Data Grid 6) - Affected
Debian
CVE-2013-6397: lucene-solr - Directory traversal vulnerability in SolrResourceLoader in Apache Solr before 4....
vendor_debian·2013·CVSS 4.3
CVE-2013-6397 [MEDIUM] CVE-2013-6397: lucene-solr - Directory traversal vulnerability in SolrResourceLoader in Apache Solr before 4....
Directory traversal vulnerability in SolrResourceLoader in Apache Solr before 4.6 allows remote attackers to read arbitrary files via a .. (dot dot) or full pathname in the tr parameter to solr/select/, when the response writer (wt parameter) is set to XSLT. NOTE: this can be leveraged using a separate XXE (XML eXternal Entity) vulnerability to allow access to files across restricted network boundaries.
Scope: local
bookworm: resolved (fixed in 3.6.2+dfsg-2)
bullseye: resolved (fixed in 3.6.2+dfsg-2)
forky: resolved (fixed in 3.6.2+dfsg-2)
sid: resolved (fixed in 3.6.2+dfsg-2)
trixie: resolved (fixed in 3.6.2+dfsg-2)
Suricata
ET INFO Apache Solr System Information Request
suricata·2021-01-08
CVE-2013-6397 ET INFO Apache Solr System Information Request
ET INFO Apache Solr System Information Request
Rule: alert http any any -> $HOME_NET any (msg:"ET INFO Apache Solr System Information Request"; flow:established,to_server; http.uri; content:"/solr/admin/info/system"; reference:url,www.exploit-db.com/exploits/47572; reference:url,web.archive.org/web/20190718141548/https://www.agarri.fr/blog/archives/2013/11/27/compromising_an_unreachable_solr_server_with_cve-2013-6397/index.html; classtype:misc-activity; sid:2031504; rev:4; metadata:affected_product Apache_Solr, attack_target Web_Server, created_at 2021_01_08, deployment Perimeter, confidence High, signature_severity Informational, updated_at 2026_01_20;)
No public exploits indexed.
http://lucene.apache.org/solr/4_6_0/changes/Changes.htmlhttp://rhn.redhat.com/errata/RHSA-2013-1844.htmlhttp://rhn.redhat.com/errata/RHSA-2014-0029.htmlhttp://secunia.com/advisories/55730http://secunia.com/advisories/59372http://www.agarri.fr/kom/archives/2013/11/27/compromising_an_unreachable_solr_server_with_cve-2013-6397/index.htmlhttp://www.openwall.com/lists/oss-security/2013/11/27/1http://www.securityfocus.com/bid/63935https://issues.apache.org/jira/browse/SOLR-4882http://lucene.apache.org/solr/4_6_0/changes/Changes.htmlhttp://rhn.redhat.com/errata/RHSA-2013-1844.htmlhttp://rhn.redhat.com/errata/RHSA-2014-0029.htmlhttp://secunia.com/advisories/55730http://secunia.com/advisories/59372http://www.agarri.fr/kom/archives/2013/11/27/compromising_an_unreachable_solr_server_with_cve-2013-6397/index.htmlhttp://www.openwall.com/lists/oss-security/2013/11/27/1http://www.securityfocus.com/bid/63935https://issues.apache.org/jira/browse/SOLR-4882
2013-12-07
Published
Exploited in the wild