CVE-2013-6408 — XML Injection (aka Blind XPath Injection) in Apache Solr

CWE-91 — XML Injection (aka Blind XPath Injection)8 documents7 sources

Severity

6.4MEDIUMNVD

EPSS

11.4%

top 6.42%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Solr

Timeline

PublishedDec 7

Latest updateMay 17

Description

The DocumentAnalysisRequestHandler in Apache Solr before 4.3.1 does not properly use the EmptyEntityResolver, which allows remote attackers to have an unspecified impact via XML data containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-6407.

CVSS vector

AV:N/AC:L/C:P/I:N/A:PExploitability: 10.0 | Impact: 4.9

Affected Packages1 packages

▶NVDapache/solr4.3.0+7

Patches

Patch: issues.apache.org ↗Patch: issues.apache.org ↗

🔴Vulnerability Details

GHSA

XML Injection in Apache Solr↗2022-05-17

▶

OSV

XML Injection in Apache Solr↗2022-05-17

▶

OSV

CVE-2013-6408: The DocumentAnalysisRequestHandler in Apache Solr before 4↗2013-12-07

▶

CVEList

CVE-2013-6408: The DocumentAnalysisRequestHandler in Apache Solr before 4↗2013-12-07

▶

📋Vendor Advisories

Red Hat

Solr: XML eXternal Entity (XXE) flaw in DocumentAnalysisRequestHandler↗2013-05-31

▶

Debian

CVE-2013-6408: lucene-solr - The DocumentAnalysisRequestHandler in Apache Solr before 4.3.1 does not properly...↗2013

▶

💬Community

Bugzilla

CVE-2013-6408 Apache Solr: XML eXternal Entity (XXE) flaw in DocumentAnalysisRequestHandler↗2013-11-29

▶