Apache Solr CVE-2018-8010 XML External Entity Multiple Information Disclosure Vulnerabilities

Apache Solr is prone to multiple information-disclosure vulnerabilities.

An attacker can exploit these issues to gain access to sensitive information that may lead to further attacks.
Apache Solr versions 6.0.0 through 6.6.3, and 7.0.0 through 7.3.0 are vulnerable.

Information

Bugtraq ID: 104239
Class: Design Error
CVE: CVE-2018-8010

Remote: Yes
Local: No
Published: May 21 2018 12:00AM
Updated: May 21 2018 12:00AM
Credit: Ananthesh and Ishan Chattopadhyaya.
Vulnerable: Apache Solr 7.2.1
Apache Solr 7.0
Apache Solr 6.6.3
Apache Solr 6.6.2
Apache Solr 6.6.1
Apache Solr 6.6
Apache Solr 6.5.1
Apache Solr 6.5
Apache Solr 6.4
Apache Solr 6.3
Apache Solr 6.2
Apache Solr 7.3
Apache Solr 6.6
Apache Solr 6.3
Apache Solr 6.0

Not Vulnerable: Apache Solr 7.3.1
Apache Solr 6.6.4
Apache Solr 7.4

Exploit

An attacker can exploit these issues using readily available tools.

References:

• Apache Solr Homepage (Apache)
  
• Bug 1581037 - (CVE-2018-8010) CVE-2018-8010 solr: XML external entity expansion (Red Hat Bugzilla)
  
• CVE-2018-8010 (Red Hat Bugzilla)
  
• CVE-2018-8010: Prevent XXE in solrconfig.xml and managed-schema(.xml) (Apache)
  

Source: www.securityfocus.com