CVE-2013-6408

EUVD-2022-2310
The DocumentAnalysisRequestHandler in Apache Solr before 4.3.1 does not properly use the EmptyEntityResolver, which allows remote attackers to have an unspecified impact via XML data containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.  NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-6407.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
6.4 UNKNOWN
NETWORK
LOW
AV:N/AC:L/Au:N/C:P/I:N/A:P
Base Score
CVSS 3.x
EPSS Score
Percentile: 91%
Affected Products (NVD)
VendorProductVersion
apachesolr
𝑥
≤ 4.3.0
apachesolr
3.6.0
apachesolr
3.6.1
apachesolr
3.6.2
apachesolr
4.0.0
apachesolr
4.0.0:alpha
apachesolr
4.0.0:beta
apachesolr
4.1.0
apachesolr
4.2.0
apachesolr
4.2.1
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
lucene-solr
bookworm
3.6.2+dfsg-26
fixed
bullseye
3.6.2+dfsg-24
fixed
sid
3.6.2+dfsg-26
fixed
trixie
3.6.2+dfsg-26
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
lucene-solr
lucid
dne
precise
dne
quantal
ignored
raring
ignored
saucy
ignored
trusty
not-affected
utopic
ignored
vivid
ignored
wily
ignored
xenial
not-affected
yakkety
not-affected
References
http://rhn.redhat.com/errata/RHSA-2013-1844.html
http://rhn.redhat.com/errata/RHSA-2014-0029.html
http://secunia.com/advisories/55542
http://secunia.com/advisories/59372
http://svn.apache.org/viewvc/lucene/dev/branches/branch_4x/solr/CHANGES.txt?view=markup
http://www.openwall.com/lists/oss-security/2013/11/29/2
https://issues.apache.org/jira/browse/SOLR-4881
http://rhn.redhat.com/errata/RHSA-2013-1844.html
http://rhn.redhat.com/errata/RHSA-2014-0029.html
http://secunia.com/advisories/55542
http://secunia.com/advisories/59372
http://svn.apache.org/viewvc/lucene/dev/branches/branch_4x/solr/CHANGES.txt?view=markup
http://www.openwall.com/lists/oss-security/2013/11/29/2
https://issues.apache.org/jira/browse/SOLR-4881