CVSS: 5.5EPSS: 0%CPEs: 2EXPL: 0CVE-2018-8010
https://notcve.org/view.php?id=CVE-2018-8010
This vulnerability in Apache Solr 6.0.0 to 6.6.3, 7.0.0 to 7.3.0 relates to an XML external entity expansion (XXE) in Solr config files (solrconfig.xml, schema.xml, managed-schema). In addition, Xinclude functionality provided in these config files is also affected in a similar way. The vulnerability can be used as XXE using file/ftp/http protocols in order to read arbitrary local files from the Solr server or the internal network. Users are advised to upgrade to either Solr 6.6.4 or Solr 7.3.1 releases both of which address the vulnerability. Once upgrade is complete, no other steps are required. • http://www.securityfocus.com/bid/104239 https://lists.apache.org/thread.html/r204ba2a9ea750f38d789d2bb429cc0925ad6133deea7cbc3001d96b5%40%3Csolr-user.lucene.apache.org%3E https://mail-archives.apache.org/mod_mbox/www-announce/201805.mbox/%3C08a801d3f0f9%24df46d300%249dd47900%24%40apache.org%3E • CWE-611: Improper Restriction of XML External Entity Reference •
CVSS: 7.5EPSS: 1%CPEs: 5EXPL: 0CVE-2018-1308
https://notcve.org/view.php?id=CVE-2018-1308
This vulnerability in Apache Solr 1.2 to 6.6.2 and 7.0.0 to 7.2.1 relates to an XML external entity expansion (XXE) in the `&dataConfig=<inlinexml>` parameter of Solr's DataImportHandler. It can be used as XXE using file/ftp/http protocols in order to read arbitrary local files from the Solr server or the internal network. Esta vulnerabilidad en Apache Solr 1.2 a 6.6.2 y 7.0.0 a 7.2.1 está relacionado con una expansión XEE (XML External Entity) en el parámetro `dataConfig=` del DataImportHandler de Solr. Puede emplearse como XEE mediante el uso de protocolos file/ftp/http para leer archivos locales arbitrarios del servicio Solr o de la red interna. • https://issues.apache.org/jira/browse/SOLR-11971 https://lists.apache.org/thread.html/708d94141126eac03011144a971a6411fcac16d9c248d1d535a39451%40%3Csolr-user.lucene.apache.org%3E https://lists.debian.org/debian-lts-announce/2018/04/msg00025.html https://mail-archives.apache.org/mod_mbox/www-announce/201804.mbox/%3C000001d3cf68%245ac69af0%241053d0d0%24%40apache.org%3E https://www.debian.org/security/2018/dsa-4194 • CWE-611: Improper Restriction of XML External Entity Reference •
CVSS: 10.0EPSS: 97%CPEs: 11EXPL: 2CVE-2017-12629 – Apache Solr 7.0.1 - XML External Entity Expansion / Remote Code Execution
https://notcve.org/view.php?id=CVE-2017-12629
Remote code execution occurs in Apache Solr before 7.1 with Apache Lucene before 7.1 by exploiting XXE in conjunction with use of a Config API add-listener command to reach the RunExecutableListener class. Elasticsearch, although it uses Lucene, is NOT vulnerable to this. Note that the XML external entity expansion vulnerability occurs in the XML Query Parser which is available, by default, for any query request with parameters deftype=xmlparser and can be exploited to upload malicious data to the /upload request handler or as Blind XXE using ftp wrapper in order to read arbitrary local files from the Solr server. Note also that the second vulnerability relates to remote code execution using the RunExecutableListener available on all affected versions of Solr. Ocurre una ejecución remota de código en Apache Solr en versiones anteriores a la 7.1 con Apache Lucene en versiones anteriores a la 7.1 explotando XXE junto con el uso de un comando add-listener de la API de configuración para alcanzar la clase RunExecutableListener. • https://www.exploit-db.com/exploits/43009 http://mail-archives.us.apache.org/mod_mbox/www-announce/201710.mbox/%3CCAOOKt51UO_6Vy%3Dj8W%3Dx1pMbLW9VJfZyFWz7pAnXJC_OAdSZubA%40mail.gmail.com%3E http://openwall.com/lists/oss-security/2017/10/13/1 http://www.securityfocus.com/bid/101261 https://access.redhat.com/errata/RHSA-2017:3123 https://access.redhat.com/errata/RHSA-2017:3124 https://access.redhat.com/errata/RHSA-2017:3244 https://access.redhat.com/errata/RHSA-2017:3451 https:/ • CWE-138: Improper Neutralization of Special Elements CWE-611: Improper Restriction of XML External Entity Reference •
CVSS: 7.5EPSS: 0%CPEs: 9EXPL: 0CVE-2017-9803
https://notcve.org/view.php?id=CVE-2017-9803
Apache Solr's Kerberos plugin can be configured to use delegation tokens, which allows an application to reuse the authentication of an end-user or another application. There are two issues with this functionality (when using SecurityAwareZkACLProvider type of ACL provider e.g. SaslZkACLProvider). Firstly, access to the security configuration can be leaked to users other than the solr super user. Secondly, malicious users can exploit this leaked configuration for privilege escalation to further expose/modify private data and/or disrupt operations in the Solr cluster. • http://mail-archives.us.apache.org/mod_mbox/www-announce/201709.mbox/%3CCAOOKt53AOScg04zUh0%2BR_fcXD0C9s5mQ-OzdgYdnHz49u1KmXw%40mail.gmail.com%3E http://www.securityfocus.com/bid/100870 • CWE-287: Improper Authentication •
CVSS: 7.5EPSS: 0%CPEs: 8EXPL: 0CVE-2017-3163 – solr: Directory traversal via Index Replication HTTP API
https://notcve.org/view.php?id=CVE-2017-3163
When using the Index Replication feature, Apache Solr nodes can pull index files from a master/leader node using an HTTP API which accepts a file name. However, Solr before 5.5.4 and 6.x before 6.4.1 did not validate the file name, hence it was possible to craft a special request involving path traversal, leaving any file readable to the Solr server process exposed. Solr servers protected and restricted by firewall rules and/or authentication would not be at risk since only trusted clients and users would gain direct HTTP access. Cuando se usa la característica Index Replication, los nodos Apache Solr pueden tomar archivos index de un nodo master/leader usando una API HTTP que acepta un nombre de archivo. Sin embargo, Solr en versiones anteriores a la 5.5.4 y en versiones 6.x anteriores a la 6.4.1 no valida el nombre de archivo, por lo que fue posible manipular una petición especial que involucre un salto de ruta, dejando expuestos todos los archivos legibles en el proceso de servidor Solr. • https://access.redhat.com/errata/RHSA-2018:1447 https://access.redhat.com/errata/RHSA-2018:1448 https://access.redhat.com/errata/RHSA-2018:1449 https://access.redhat.com/errata/RHSA-2018:1450 https://access.redhat.com/errata/RHSA-2018:1451 https://lists.apache.org/thread.html/a6a33a186f293f9f9aecf3bd39c76252bfc49a79de4321dd2a53b488%40%3Csolr-user.lucene.apache.org%3E https://www.debian.org/security/2018/dsa-4124 https://access.redhat.com/security/cve/CVE-2017-3163 https://bugzilla.redhat.com • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •