Apache Solr < 4.3.1 XML External Entity Injection

This script is Copyright (C) 2014 Tenable Network Security, Inc.


Synopsis :

The remote web server contains a Java application that is affected by
an XML External Entity Injection vulnerability.

Description :

The version of Apache Solr hosted on the remote web server is affected
by an XML External Entity Injection vulnerability due to an incorrectly
configured XML parser in the 'DocumentAnalysisRequestHandler' class. A
remote, unauthenticated attacker could take advantage of this flaw in
order to gain access to arbitrary files or cause a denial of service
(DoS) condition.

Note that this issue exists due to an incomplete fix for
CVE-2013-6407.

See also :

https://issues.apache.org/jira/browse/SOLR-4881
http://lucene.apache.org/solr/4_3_1/changes/Changes.html

Solution :

Upgrade to Apache Solr version 4.3.1 or later.

Risk factor :

Medium / CVSS Base Score : 6.4
(CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:P)
CVSS Temporal Score : 5.6
(CVSS2#E:ND/RL:OF/RC:C)
Public Exploit Available : true

Family: CGI abuses

Nessus Plugin ID: 71845 ()

Bugtraq ID: 64009

CVE ID: CVE-2013-6408