CVE-2013-6408

The DocumentAnalysisRequestHandler in Apache Solr before 4.3.1 does not properly use the EmptyEntityResolver, which allows remote attackers to have an unspecified impact via XML data containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-6407.

Published: Dec 7, 2013
Updated: Nov 8, 2023
CVE: CVE-2013-6408
GHSA: GHSA-45w3-2hvv-pfxq
Severity: Medium
Exploit:

CVSS v2:

Severity: Medium
Score: 6.4
AV:N/AC:L/Au:N/C:P/I:N/A:P

CWEs:

CWE-91

OWASP TOP 10:

A1 - Injection

Affected Software
References

Software	From	Fixed in
apache / solr	4.0.0-alpha	4.0.0-alpha.x
apache / solr	3.6.1	3.6.1.x
apache / solr	4.2.1	4.2.1.x
apache / solr	3.6.0	3.6.0.x
apache / solr	4.0.0-beta	4.0.0-beta.x
apache / solr	4.2.0	4.2.0.x
apache / solr	3.6.2	3.6.2.x
apache / solr	4.0.0	4.0.0.x
apache / solr	4.1.0	4.1.0.x
apache / solr	-	4.3.0.x
org.apache.solr / solr-core	-	4.3.1

http://rhn.redhat.com/errata/RHSA-2013-1844.html
http://rhn.redhat.com/errata/RHSA-2014-0029.html
http://secunia.com/advisories/55542
http://secunia.com/advisories/59372
http://svn.apache.org/viewvc/lucene/dev/branches/branch_4x/solr/CHANGES.txt?view=markup
http://www.openwall.com/lists/oss-security/2013/11/29/2
https://issues.apache.org/jira/browse/SOLR-4881

Vulnerability Database

289,599

CVE-2013-6408