Uploaded image for project: 'Solr'
  1. Solr
  2. SOLR-11971

CVE-2018-1308: XXE attack through DIH's dataConfig request parameter

    XMLWordPrintableJSON

    Details

      Description

      We got a security report about an XXE attack when using the &dataConfig=<inlinexml> of Solr's DataImportHandler. See the attached PDF file with full details (I converted it to PDF, originally it was a DOC file).

        Attachments

        1. ApacheSolrDIH-XXE.pdf
          1.52 MB
          Uwe Schindler
        2. SOLR-11971.patch
          5 kB
          Uwe Schindler

          Issue Links

            Activity

              People

              • Assignee:
                thetaphi Uwe Schindler
                Reporter:
                thetaphi Uwe Schindler
              • Votes:
                0 Vote for this issue
                Watchers:
                5 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: