CVE-2018-8010

CWE-611XML External Entity (XXE)8 documents7 sources
Severity
5.5MEDIUM
EPSS
1.7%
top 17.68%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Apache SolrApache Software Foundation Apache Solr
Timeline
PublishedMay 21
Latest updateOct 17

Description

This vulnerability in Apache Solr 6.0.0 to 6.6.3, 7.0.0 to 7.3.0 relates to an XML external entity expansion (XXE) in Solr config files (solrconfig.xml, schema.xml, managed-schema). In addition, Xinclude functionality provided in these config files is also affected in a similar way. The vulnerability can be used as XXE using file/ftp/http protocols in order to read arbitrary local files from the Solr server or the internal network. Users are advised to upgrade to either Solr 6.6.4 or Solr 7.3.1

CVSS vector

CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:NExploitability: 1.8 | Impact: 3.6

Affected Packages3 packages

Mavenorg.apache.solr:solr-core6.6.06.6.4+1
NVDapache/solr6.0.06.6.3+1
CVEListV5apache_software_foundation/apache_solrApache Solr 6.0.0 to 6.6.3, 7.0.0 to 7.3.0

🔴Vulnerability Details

3
GHSA
There is a XML external entity expansion (XXE) vulnerability in Apache Solr config files2018-10-17
OSV
There is a XML external entity expansion (XXE) vulnerability in Apache Solr config files2018-10-17
CVEList
CVE-2018-8010: This vulnerability in Apache Solr 62018-05-21

📋Vendor Advisories

2
Red Hat
solr: XML external entity expansion in config files allows attackers to read arbitrary files2018-05-21
Debian
CVE-2018-8010: lucene-solr - This vulnerability in Apache Solr 6.0.0 to 6.6.3, 7.0.0 to 7.3.0 relates to an X...2018

💬Community

2
Bugzilla
CVE-2018-8010 solr: XML external entity expansion in config files allows attackers to read arbitrary files2018-05-22
Bugzilla
CVE-2018-8010 solr3: solr: XML external entity expansion in config files allows attackers to read arbitrary files [fedora-all]2018-05-22
CVE-2018-8010 (MEDIUM CVSS 5.5) | This vulnerability in Apache Solr 6 | cvebase.io