CVE-2018-8026

Name of the Vulnerable Software and Affected Versions: Apache Solr versions 6.0.0 through 6.6.4 Apache Solr versions 7.0.0 through 7.3.1

Description: The issue relates to an XML external entity expansion (XXE) in Solr config files, such as currency.xml, enumsConfig.xml, and TIKA parsecontext config file, which can be exploited to read arbitrary local files from the Solr server or the internal network using file/ftp/http protocols. The Xinclude functionality in these config files is also affected. The manipulated files can be uploaded as configsets using Solr's API.

Recommendations: For Apache Solr versions 6.0.0 through 6.6.4, update to a version outside of this range to mitigate the risk. For Apache Solr versions 7.0.0 through 7.3.1, update to a version outside of this range to mitigate the risk. As a temporary workaround, consider restricting access to the Solr API to minimize the risk of exploitation. Avoid using the Xinclude functionality in Solr config files until the issue is resolved.