Description
The DocumentAnalysisRequestHandler in Apache Solr before 4.3.1 does not properly use the EmptyEntityResolver, which allows remote attackers to have an unspecified impact via XML data containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-6407.
Remediation
References
http://rhn.redhat.com/errata/RHSA-2013-1844.html
http://rhn.redhat.com/errata/RHSA-2014-0029.html
http://secunia.com/advisories/55542
http://secunia.com/advisories/59372
http://svn.apache.org/viewvc/lucene/dev/branches/branch_4x/solr/CHANGES.txt?view=markup
http://www.openwall.com/lists/oss-security/2013/11/29/2
https://issues.apache.org/jira/browse/SOLR-4881
Related Vulnerabilities
CVE-2021-23445 Vulnerability in npm package datatables.net
CVE-2018-1999041 Vulnerability in maven package com.tinfoilsecurity.plugins:tinfoil-scan
CVE-2023-33942 Vulnerability in maven package com.liferay:com.liferay.asset.browser.web
CVE-2020-2193 Vulnerability in maven package io.jenkins.plugins:echarts-api
CVE-2016-4434 Vulnerability in maven package org.apache.tika:tika-parsers