CVE-2018-1308: XEE vulnerability via DIH's dataConfig request parameter

April 9, 2018 (updated November 12, 2019)

This vulnerability relates to an XML external entity expansion (XXE) in the &dataConfig=<inlinexml> parameter of Solr’s DataImportHandler. It can be used as XXE using file/ftp/http protocols in order to read arbitrary local files from the Solr server or the internal network.

References

cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1308
issues.apache.org/jira/browse/SOLR-11971
mail-archives.apache.org/mod_mbox/www-announce/201804.mbox/%3C000001d3cf68%245ac69af0%241053d0d0%24%40apache.org%3E

Detect and mitigate CVE-2018-1308 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →