Apache Solr 4.0.0 XML External Entity
high Web Application Scanning Plugin ID 98886
Language:
Synopsis
Apache Solr 4.0.0 XML External EntityDescription
Apache Solr 4.0.0 allows remote attackers to have an unspecified impact via the 'UpdateRequestHandler' for XSLT or 'XPathEntityProcessor', by injecting XML data containing an external entity declaration in conjunction with a valid entity reference, related to an XML External Entity (XXE) issue.Note that the scanner has not tested for these issues but has instead relied only on the application's self-reported version number.
Solution
Update to Apache Solr version 4.1.0 or latest.See Also
https://issues.apache.org/jira/browse/SOLR-3895
https://svn.apache.org/viewvc/lucene/dev/branches/branch_4x/solr/CHANGES.txt?view=markup
https://rhn.redhat.com/errata/RHSA-2014-0029.html
Plugin Details
Severity: High
ID: 98886
Type: remote
Family: Component Vulnerability
Published: 1/22/2020
Updated: 10/7/2021
Scan Template: pci, api, scan
Risk Information
VPR
Risk Factor: Medium
Score: 5.9
CVSS v2
Risk Factor: High
Base Score: 7.5
Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSS Score Source: CVE-2012-6612
CVSS v3
Risk Factor: High
Base Score: 7.3
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
CVSS Score Source: CVE-2012-6612
Vulnerability Information
CPE: cpe:2.3:a:apache:solr:4.0.0:*:*:*:*:*:*:*
Exploit Ease: No known exploits are available
Patch Publication Date: 12/7/2013
Vulnerability Publication Date: 12/7/2013
Reference Information
CVE: CVE-2012-6612
OWASP: 2013-A9, 2017-A9, 2010-A1, 2013-A1, 2017-A4, 2021-A6, 2021-A5
CWE: 611
WASC: XML External Entities
OWASP API: 2019-API7
HIPAA: 164.306(a)(1), 164.306(a)(2)
DISA STIG: APSC-DV-002630, APSC-DV-002550
OWASP ASVS: 4.0.2-14.2.1, 4.0.2-5.5.2
ISO: 27001-A.14.2.5
CAPEC: 221
NIST: sp800_53-CM-6b, sp800_53-SI-10