ID CVE-2013-6408
Summary The DocumentAnalysisRequestHandler in Apache Solr before 4.3.1 does not properly use the EmptyEntityResolver, which allows remote attackers to have an unspecified impact via XML data containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-6407.
References
Vulnerable Configurations
  • cpe:2.3:a:apache:solr:4.0.0:alpha:*:*:*:*:*:*
    cpe:2.3:a:apache:solr:4.0.0:alpha:*:*:*:*:*:*
  • cpe:2.3:a:apache:solr:3.6.1:*:*:*:*:*:*:*
    cpe:2.3:a:apache:solr:3.6.1:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:solr:4.2.1:*:*:*:*:*:*:*
    cpe:2.3:a:apache:solr:4.2.1:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:solr:3.6.0:*:*:*:*:*:*:*
    cpe:2.3:a:apache:solr:3.6.0:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:solr:4.0.0:beta:*:*:*:*:*:*
    cpe:2.3:a:apache:solr:4.0.0:beta:*:*:*:*:*:*
  • cpe:2.3:a:apache:solr:4.2.0:*:*:*:*:*:*:*
    cpe:2.3:a:apache:solr:4.2.0:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:solr:3.6.2:*:*:*:*:*:*:*
    cpe:2.3:a:apache:solr:3.6.2:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:solr:4.0.0:*:*:*:*:*:*:*
    cpe:2.3:a:apache:solr:4.0.0:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:solr:4.1.0:*:*:*:*:*:*:*
    cpe:2.3:a:apache:solr:4.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:solr:1.1.0:*:*:*:*:*:*:*
    cpe:2.3:a:apache:solr:1.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:solr:1.2:*:*:*:*:*:*:*
    cpe:2.3:a:apache:solr:1.2:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:solr:1.2.0:*:*:*:*:*:*:*
    cpe:2.3:a:apache:solr:1.2.0:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:solr:1.3.0:*:*:*:*:*:*:*
    cpe:2.3:a:apache:solr:1.3.0:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:solr:1.4.0:*:*:*:*:*:*:*
    cpe:2.3:a:apache:solr:1.4.0:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:solr:1.4.1:*:*:*:*:*:*:*
    cpe:2.3:a:apache:solr:1.4.1:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:solr:3.1:*:*:*:*:*:*:*
    cpe:2.3:a:apache:solr:3.1:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:solr:3.1.0:*:*:*:*:*:*:*
    cpe:2.3:a:apache:solr:3.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:solr:3.2:*:*:*:*:*:*:*
    cpe:2.3:a:apache:solr:3.2:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:solr:3.2.0:*:*:*:*:*:*:*
    cpe:2.3:a:apache:solr:3.2.0:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:solr:3.3:*:*:*:*:*:*:*
    cpe:2.3:a:apache:solr:3.3:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:solr:3.3.0:*:*:*:*:*:*:*
    cpe:2.3:a:apache:solr:3.3.0:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:solr:3.4.0:*:*:*:*:*:*:*
    cpe:2.3:a:apache:solr:3.4.0:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:solr:3.5.0:*:*:*:*:*:*:*
    cpe:2.3:a:apache:solr:3.5.0:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:solr:4.0.0:-:*:*:*:*:*:*
    cpe:2.3:a:apache:solr:4.0.0:-:*:*:*:*:*:*
  • cpe:2.3:a:apache:solr:4.3.0:*:*:*:*:*:*:*
    cpe:2.3:a:apache:solr:4.3.0:*:*:*:*:*:*:*
CVSS
Base: 6.4 (as of 13-02-2023 - 04:49)
Impact:
Exploitability:
CWE NVD-CWE-noinfo
CAPEC
Access
VectorComplexityAuthentication
NETWORK LOW NONE
Impact
ConfidentialityIntegrityAvailability
PARTIAL NONE PARTIAL
cvss-vector via4 AV:N/AC:L/Au:N/C:P/I:N/A:P
redhat via4
advisories
  • rhsa
    id RHSA-2013:1844
  • rhsa
    id RHSA-2014:0029
refmap via4
confirm
mlist [oss-security] 20131128 Re: CVE Request: Apache Solr XXE
secunia
  • 55542
  • 59372
Last major update 13-02-2023 - 04:49
Published 07-12-2013 - 20:55
Last modified 13-02-2023 - 04:49
Back to Top