QwikSec

Security Database

CVE

CWE

Training

CVE-2018-8026

Published: Jul 5, 2018

Modified: Sep 16, 2024

PUBLISHED

Description

This vulnerability in Apache Solr 6.0.0 to 6.6.4 and 7.0.0 to 7.3.1 relates to an XML external entity expansion (XXE) in Solr config files (currency.xml, enumsConfig.xml referred from schema.xml, TIKA parsecontext config file). In addition, Xinclude functionality provided in these config files is also affected in a similar way. The vulnerability can be used as XXE using file/ftp/http protocols in order to read arbitrary local files from the Solr server or the internal network. The manipulated files can be uploaded as configsets using Solr's API, allowing to exploit that vulnerability.

Vendor	Product	Versions
Apache Software Foundation	Apache Solr	affected `6.0.0 to 6.6.4` affected `7.0.0 to 7.3.1`

References

vdb-entry

x_refsource_BID

https://issues.apache.org/jira/browse/SOLR-12450

x_refsource_CONFIRM

https://security.netapp.com/advisory/ntap-20190307-0002/

x_refsource_CONFIRM

[lucene-solr-user] 20180704 [SECURITY] CVE-2018-8026: XXE vulnerability due to Apache Solr configset upload (exchange rate provider config / enum field config / TIKA parsecontext)

mailing-list

x_refsource_MLIST

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.