Uwe Schindler

**Name of the Vulnerable Software and Affected Versions** Apache Solr versions prior to 4.6 **Description** The issue allows remote attackers to read arbitrary files via a .. (dot dot) or full pathname in the `tr` parameter to "solr/select/", when the response writer (`wt` parameter) is set to XSLT. This can be leveraged using a separate XXE (XML eXternal Entity) vulnerability to allow access to files across restricted network boundaries. The vulnerability may lead to a violation of confidentiality and availability of protected information. **Recommendations** For Apache Solr versions prior to 4.6, consider updating to version 4.6 or later to resolve the issue. As a temporary workaround, consider restricting access to the "solr/select/" endpoint or disabling the XSLT response writer to minimize the risk of exploitation. Avoid using the `tr` parameter with untrusted input in the affected API endpoint until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Apache Solr versions prior to 4.3.1 **Description** The issue is related to the DocumentAnalysisRequestHandler in Apache Solr, which does not properly use the EmptyEntityResolver. This allows remote attackers to have an unspecified impact via XML data containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue. The vulnerability exists because of an incomplete fix for a previous issue. **Recommendations** For Apache Solr versions prior to 4.3.1, update to version 4.3.1 or later to resolve the issue. As a temporary workaround, consider restricting access to the DocumentAnalysisRequestHandler to minimize the risk of exploitation. Avoid using XML data containing external entity declarations in conjunction with entity references until the issue is resolved.