Apache Software Foundation Apache Solr vulnerabilities
26 known vulnerabilities affecting apache_software_foundation/apache_solr.
Total CVEs
26
CISA KEV
1
actively exploited
Public exploits
5
Exploited in wild
3
Severity breakdown
CRITICAL6HIGH15MEDIUM5
Vulnerabilities
Page 2 of 2
CVE-2018-8026MEDIUMCVSS 5.5v6.0.0 to 6.6.4v7.0.0 to 7.3.12018-07-05
CVE-2018-8026 [MEDIUM] CWE-611 CVE-2018-8026: This vulnerability in Apache Solr 6.0.0 to 6.6.4 and 7.0.0 to 7.3.1 relates to an XML external entit
This vulnerability in Apache Solr 6.0.0 to 6.6.4 and 7.0.0 to 7.3.1 relates to an XML external entity expansion (XXE) in Solr config files (currency.xml, enumsConfig.xml referred from schema.xml, TIKA parsecontext config file). In addition, Xinclude functionality provided in these config files is also affected in a similar way. The vulnerability can b
cvelistv5nvd
CVE-2018-8010MEDIUMCVSS 5.5vApache Solr 6.0.0 to 6.6.3, 7.0.0 to 7.3.02018-05-21
CVE-2018-8010 [MEDIUM] CWE-611 CVE-2018-8010: This vulnerability in Apache Solr 6.0.0 to 6.6.3, 7.0.0 to 7.3.0 relates to an XML external entity e
This vulnerability in Apache Solr 6.0.0 to 6.6.3, 7.0.0 to 7.3.0 relates to an XML external entity expansion (XXE) in Solr config files (solrconfig.xml, schema.xml, managed-schema). In addition, Xinclude functionality provided in these config files is also affected in a similar way. The vulnerability can be used as XXE using file/ftp/http protocols in
cvelistv5nvd
CVE-2018-1308HIGHCVSS 7.5v1.2 to 6.6.2v7.0.0 to 7.2.12018-04-09
CVE-2018-1308 [HIGH] CWE-611 CVE-2018-1308: This vulnerability in Apache Solr 1.2 to 6.6.2 and 7.0.0 to 7.2.1 relates to an XML external entity
This vulnerability in Apache Solr 1.2 to 6.6.2 and 7.0.0 to 7.2.1 relates to an XML external entity expansion (XXE) in the `&dataConfig=` parameter of Solr's DataImportHandler. It can be used as XXE using file/ftp/http protocols in order to read arbitrary local files from the Solr server or the internal network.
cvelistv5nvd
CVE-2017-9803HIGHCVSS 7.5v6.2.0 to 6.6.02017-09-18
CVE-2017-9803 [HIGH] CWE-287 CVE-2017-9803: Apache Solr's Kerberos plugin can be configured to use delegation tokens, which allows an applicatio
Apache Solr's Kerberos plugin can be configured to use delegation tokens, which allows an application to reuse the authentication of an end-user or another application. There are two issues with this functionality (when using SecurityAwareZkACLProvider type of ACL provider e.g. SaslZkACLProvider). Firstly, access to the security configuration can be lea
cvelistv5nvd
CVE-2017-3163HIGHCVSS 7.5v1.4.0 to 5.5.3v6.0.0 to 6.4.02017-08-30
CVE-2017-3163 [HIGH] CWE-22 CVE-2017-3163: When using the Index Replication feature, Apache Solr nodes can pull index files from a master/leade
When using the Index Replication feature, Apache Solr nodes can pull index files from a master/leader node using an HTTP API which accepts a file name. However, Solr before 5.5.4 and 6.x before 6.4.1 did not validate the file name, hence it was possible to craft a special request involving path traversal, leaving any file readable to the Solr server proc
cvelistv5nvd
CVE-2017-7660HIGHCVSS 7.5v5.3 to 5.5.4v6.0 to 6.5.12017-07-07
CVE-2017-7660 [HIGH] CWE-287 CVE-2017-7660: Apache Solr uses a PKI based mechanism to secure inter-node communication when security is enabled.
Apache Solr uses a PKI based mechanism to secure inter-node communication when security is enabled. It is possible to create a specially crafted node name that does not exist as part of the cluster and point it to a malicious node. This can trick the nodes in cluster to believe that the malicious node is a member of the cluster. So, if Solr users have en
cvelistv5nvd
← Previous2 / 2