Vulnerabilities > CVE-2018-1308 - XXE vulnerability in multiple products

CVSS 7.5 - HIGH

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

HIGH

Integrity impact

NONE

Availability impact

NONE

network

low complexity

apache

debian

CWE-611

nessus

NVD

Published: 2018-04-09

Updated: 2023-11-07

Summary

This vulnerability in Apache Solr 1.2 to 6.6.2 and 7.0.0 to 7.2.1 relates to an XML external entity expansion (XXE) in the `&dataConfig=<inlinexml>` parameter of Solr's DataImportHandler. It can be used as XXE using file/ftp/http protocols in order to read arbitrary local files from the Solr server or the internal network.

Vulnerable Configurations

Part	Description	Count
Application	Apache Apache Solr 7.0.0 Apache Solr 7.0.1 Apache Solr 7.1.0 Apache Solr 7.2.0 Apache Solr 7.2.1 Apache Solr 1.2 Apache Solr 1.2.0 Apache Solr 1.3.0 Apache Solr 1.4.0 Apache Solr 1.4.1 Apache Solr 3.1 Apache Solr 3.1.0 Apache Solr 3.2 Apache Solr 3.2.0 Apache Solr 3.3 Apache Solr 3.3.0 Apache Solr 3.4.0 Apache Solr 3.5.0 Apache Solr 3.6.0 Apache Solr 3.6.1 Apache Solr 3.6.2 Apache Solr 4.0.0 Apache Solr 4.1.0 Apache Solr 4.2.0 Apache Solr 4.2.1 Apache Solr 4.3.0 Apache Solr 4.3.1 Apache Solr 4.4.0 Apache Solr 4.5.0 Apache Solr 4.5.1 Apache Solr 4.6.0 Apache Solr 4.6.1 Apache Solr 4.7.0 Apache Solr 4.7.1 Apache Solr 4.7.2 Apache Solr 4.8.0 Apache Solr 4.8.1 Apache Solr 4.9.0 Apache Solr 4.9.1 Apache Solr 4.10.0 Apache Solr 4.10.1 Apache Solr 4.10.2 Apache Solr 4.10.3 Apache Solr 4.10.4 Apache Solr 5.0 Apache Solr 5.0.0 Apache Solr 5.1 Apache Solr 5.1.0 Apache Solr 5.2.0 Apache Solr 5.2.1 Apache Solr 5.3 Apache Solr 5.3.0 Apache Solr 5.3.1 Apache Solr 5.3.2 Apache Solr 5.4.0 Apache Solr 5.4.1 Apache Solr 5.5.0 Apache Solr 5.5.1 Apache Solr 5.5.2 Apache Solr 5.5.3 Apache Solr 5.5.4 Apache Solr 5.5.5 Apache Solr 6.0.0 Apache Solr 6.0.1 Apache Solr 6.1.0 Apache Solr 6.2.0 Apache Solr 6.2.1 Apache Solr 6.3.0 Apache Solr 6.4.0 Apache Solr 6.4.1 Apache Solr 6.4.2 Apache Solr 6.5.0 Apache Solr 6.5.1 Apache Solr 6.6.0 Apache Solr 6.6.1 Apache Solr 6.6.2	79
OS	Debian Debian Debian Linux 8.0 Debian Debian Linux 7.0 Debian Debian Linux 9.0	3

Common Weakness Enumeration (CWE)

CWE-611 - Improper Restriction of XML External Entity Reference ('XXE')

Nessus

NASL family	Debian Local Security Checks
NASL id	DEBIAN_DLA-1360.NASL
description	It was discovered that there was an XML external entity expansion (XXE) vulnerability in lucene-solr, a search engine library for Java. It could be exploited to read arbitrary local files from the Solr server or the internal network. For Debian 7
last seen	2020-03-17
modified	2018-04-25
plugin id	109327
published	2018-04-25
reporter	This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/109327
title	Debian DLA-1360-1 : lucene-solr security update
code	#%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Debian Security Advisory DLA-1360-1. The text # itself is copyright (C) Software in the Public Interest, Inc. # include("compat.inc"); if (description) { script_id(109327); script_version("1.4"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/03/12"); script_cve_id("CVE-2018-1308"); script_name(english:"Debian DLA-1360-1 : lucene-solr security update"); script_summary(english:"Checks dpkg output for the updated packages."); script_set_attribute( attribute:"synopsis", value:"The remote Debian host is missing a security update." ); script_set_attribute( attribute:"description", value: "It was discovered that there was an XML external entity expansion (XXE) vulnerability in lucene-solr, a search engine library for Java. It could be exploited to read arbitrary local files from the Solr server or the internal network. For Debian 7 'Wheezy', this issue has been fixed in lucene-solr version 3.6.0+dfsg-1+deb7u4. We recommend that you upgrade your lucene-solr packages. NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://lists.debian.org/debian-lts-announce/2018/04/msg00025.html" ); script_set_attribute( attribute:"see_also", value:"https://packages.debian.org/source/wheezy/lucene-solr" ); script_set_attribute(attribute:"solution", value:"Upgrade the affected packages."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:liblucene3-contrib-java"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:liblucene3-java"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:liblucene3-java-doc"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libsolr-java"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:solr-common"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:solr-jetty"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:solr-tomcat"); script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:7.0"); script_set_attribute(attribute:"patch_publication_date", value:"2018/04/24"); script_set_attribute(attribute:"plugin_publication_date", value:"2018/04/25"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Debian Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("debian_package.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian"); if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (deb_check(release:"7.0", prefix:"liblucene3-contrib-java", reference:"3.6.0+dfsg-1+deb7u4")) flag++; if (deb_check(release:"7.0", prefix:"liblucene3-java", reference:"3.6.0+dfsg-1+deb7u4")) flag++; if (deb_check(release:"7.0", prefix:"liblucene3-java-doc", reference:"3.6.0+dfsg-1+deb7u4")) flag++; if (deb_check(release:"7.0", prefix:"libsolr-java", reference:"3.6.0+dfsg-1+deb7u4")) flag++; if (deb_check(release:"7.0", prefix:"solr-common", reference:"3.6.0+dfsg-1+deb7u4")) flag++; if (deb_check(release:"7.0", prefix:"solr-jetty", reference:"3.6.0+dfsg-1+deb7u4")) flag++; if (deb_check(release:"7.0", prefix:"solr-tomcat", reference:"3.6.0+dfsg-1+deb7u4")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get()); else security_warning(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");

NASL family	Debian Local Security Checks
NASL id	DEBIAN_DSA-4194.NASL
description	An XML external entity expansion vulnerability was discovered in the DataImportHandler of Solr, a search server based on Lucene, which could result in information disclosure.
last seen	2020-06-01
modified	2020-06-02
plugin id	109589
published	2018-05-07
reporter	This script is Copyright (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/109589
title	Debian DSA-4194-1 : lucene-solr - security update

Summary

Vulnerable Configurations

Common Weakness Enumeration (CWE)

Nessus

References