SB2018041210 - Information disclosure in Apache Solr
Published: April 12, 2018
Security Bulletin ID
SB2018041210
Severity
Low
Patch available
YES
Number of vulnerabilities
1
Exploitation vector
Remote access
Highest impact
Information disclosure
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 security vulnerability.
1) XXE attack (CVE-ID: CVE-2018-1308)
The vulnerability allows a remote unauthenticated attacker to conduct XXE attack on the target system.
The weakness exists in the dataConfig request parameter in the DataImportHandler due to improper information control. A remote attacker can make a customized file, FTP, or HTTP request, conduct an XXE attack, gain access to potentially sensitive, local file information on the system or to access sensitive information from the internal network in which the system resides.
Remediation
Install update from vendor's website.