Description
The DocumentAnalysisRequestHandler in Apache Solr before 4.3.1 does not properly use the EmptyEntityResolver, which allows remote attackers to have an unspecified impact via XML data containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-6407.
Remediation
References
http://secunia.com/advisories/55542
http://www.openwall.com/lists/oss-security/2013/11/29/2
http://svn.apache.org/viewvc/lucene/dev/branches/branch_4x/solr/CHANGES.txt?view=markup
https://issues.apache.org/jira/browse/SOLR-4881
http://rhn.redhat.com/errata/RHSA-2013-1844.html
http://rhn.redhat.com/errata/RHSA-2014-0029.html
http://secunia.com/advisories/59372
Related Vulnerabilities
CVE-2023-42795 Vulnerability in maven package org.apache.tomcat:tomcat-catalina
CVE-2019-1003009 Vulnerability in maven package rg.jenkins-ci.plugins:active-directory
CVE-2019-10448 Vulnerability in maven package org.jenkins-ci.plugins:icescrum
CVE-2022-25883 Vulnerability in maven package org.webjars.npm:semver
CVE-2018-1270 Vulnerability in maven package org.springframework:spring-messaging