CVE-2018-1308

Impact:
Important
Public Date:
2018-02-12
CWE:
CWE-611
Bugzilla:
1564959: CVE-2018-1308 Solr: XML external entity expansion in handler/dataimport/DataImporter.java allows remote attackers to read arbitrary files

The MITRE CVE dictionary describes this issue as:

This vulnerability in Apache Solr 1.2 to 6.6.2 and 7.0.0 to 7.2.1 relates to an XML external entity expansion (XXE) in the `&dataConfig=<inlinexml>` parameter of Solr's DataImportHandler. It can be used as XXE using file/ftp/http protocols in order to read arbitrary local files from the Solr server or the internal network.

Find out more about CVE-2018-1308 from the MITRE CVE dictionary dictionary and NIST NVD.

CVSS v3 metrics

NOTE: The following CVSS v3 metrics and score provided are preliminary and subject to review.

CVSS3 Base Score 7.5
CVSS3 Base Metrics CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction None
Scope Unchanged
Confidentiality High
Integrity Impact None
Availability Impact None

Affected Packages State

Platform Package State
Red Hat JBoss Portal Platform 6 solr-core Not affected
Red Hat JBoss Fuse Service Works 6 solr-core Not affected
Red Hat JBoss Fuse 7 camel Not affected
Red Hat JBoss Fuse 6 camel Not affected
Red Hat JBoss EAP 6 solr-core Not affected
Red Hat JBoss Data Virtualization 6 solr-core Not affected
Red Hat JBoss Data Grid 6 solr-core Not affected

External References

This page is generated automatically and has not been checked for errors or omissions.

For clarification or corrections please contact Red Hat Product Security.

Last Modified

CVE description copyright © 2017, The MITRE Corporation

Close

Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.