CVE-2013-6408

2013-12-0720:55:02

[email protected]

web.nvd.nist.gov

apache solr

documentanalysisrequesthandler

xxe vulnerability

cve-2013-6408

nvd

6.4 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:N/A:P

6.7 Medium

AI Score

Confidence

Low

0.003 Low

EPSS

Percentile

71.4%

JSON

The DocumentAnalysisRequestHandler in Apache Solr before 4.3.1 does not properly use the EmptyEntityResolver, which allows remote attackers to have an unspecified impact via XML data containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-6407.

Affected configurations

NVD

Node

apachesolrRange≤4.3.0

apachesolrMatch3.6.0

apachesolrMatch3.6.1

apachesolrMatch3.6.2

apachesolrMatch4.0.0

apachesolrMatch4.0.0alpha

apachesolrMatch4.0.0beta

apachesolrMatch4.1.0

apachesolrMatch4.2.0

apachesolrMatch4.2.1

CPENameOperatorVersion
apache:solrapache solrle4.3.0
apache:solrapache solreq3.6.0
apache:solrapache solreq3.6.1
apache:solrapache solreq3.6.2
apache:solrapache solreq4.0.0
apache:solrapache solreq4.1.0
apache:solrapache solreq4.2.0
apache:solrapache solreq4.2.1

CPE	Name	Operator	Version
apache:solr	apache solr	le	4.3.0
apache:solr	apache solr	eq	3.6.0
apache:solr	apache solr	eq	3.6.1
apache:solr	apache solr	eq	3.6.2
apache:solr	apache solr	eq	4.0.0
apache:solr	apache solr	eq	4.1.0
apache:solr	apache solr	eq	4.2.0
apache:solr	apache solr	eq	4.2.1