CVE-2013-6397: Directory traversal when loading XSL stylesheets and Velocity templates

December 7, 2013 (updated October 23, 2015)

Directory traversal vulnerability in SolrResourceLoader in this package allows remote attackers to read arbitrary files via a .. (dot dot) or full pathname in the tr parameter to solr/select/, when the response writer (wt parameter) is set to XSLT. NOTE: this can be leveraged using a separate XXE (XML eXternal Entity) vulnerability to allow access to files across restricted network boundaries.

References

bugzilla.redhat.com/CVE-2013-6397

Detect and mitigate CVE-2013-6397 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →