Ishan Chattopadhyaya

Name of the Vulnerable Software and Affected Versions: Apache Solr versions 6.0.0 through 6.6.4 Apache Solr versions 7.0.0 through 7.3.1 Description: The issue relates to an XML external entity expansion (XXE) in Solr config files, such as `currency.xml`, `enumsConfig.xml`, and TIKA parsecontext config file, which can be exploited to read arbitrary local files from the Solr server or the internal network using file/ftp/http protocols. The Xinclude functionality in these config files is also affected. The manipulated files can be uploaded as configsets using Solr's API. Recommendations: For Apache Solr versions 6.0.0 through 6.6.4, update to a version outside of this range to mitigate the risk. For Apache Solr versions 7.0.0 through 7.3.1, update to a version outside of this range to mitigate the risk. As a temporary workaround, consider restricting access to the Solr API to minimize the risk of exploitation. Avoid using the Xinclude functionality in Solr config files until the issue is resolved.