[SOLR-11971] CVE-2018-1308: XXE attack through DIH's dataConfig request parameter - ASF JIRA

Attach files

Attach Screenshot

Voters

Watch issue

Watchers

Create sub-task

Link

Clone

Update Comment Author

Replace String in Comment

Update Comment Visibility

Delete Comments

XML

Word

Printable

JSON

Details

Type: Bug
Status: Closed
Priority: Major
Resolution: Fixed
Affects Version/s: None
Fix Version/s: 6.6.3, 7.3, 8.0
Component/s: contrib - DataImportHandler
Labels:
None

Description

We got a security report about an XXE attack when using the &dataConfig=<inlinexml> of Solr's DataImportHandler. See the attached PDF file with full details (I converted it to PDF, originally it was a DOC file).

Attachments

ApacheSolrDIH-XXE.pdf
12/Feb/18 11:26
1.52 MB
Uwe Schindler
SOLR-11971.patch
12/Feb/18 12:51
5 kB
Uwe Schindler

Issue Links

Add Link

links to

Advisory

Delete this link

CVE-2018-1308

Delete this link

Activity

Comment

This comment will be Viewable by All Users Viewable by All Users

Cancel

People

Assignee:: Uwe Schindler

Reporter:: Uwe Schindler

Votes:: 0 Vote for this issue

Watchers:: 5 Start watching this issue

Dates

Created:: 12/Feb/18 11:26

Updated:: 08/Jun/19 15:13

Resolved:: 18/Feb/18 21:44

Agile

View on Board

CVE-2018-1308: XXE attack through DIH's dataConfig request parameter

Details

Description

Attachments

Attachments

Issue Links

Activity

People

Dates

Agile

Slack

Issue deployment