CVE-2013-6408

Name of the Vulnerable Software and Affected Versions Apache Solr versions prior to 4.3.1

Description The issue is related to the DocumentAnalysisRequestHandler in Apache Solr, which does not properly use the EmptyEntityResolver. This allows remote attackers to have an unspecified impact via XML data containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue. The vulnerability exists because of an incomplete fix for a previous issue.

Recommendations For Apache Solr versions prior to 4.3.1, update to version 4.3.1 or later to resolve the issue. As a temporary workaround, consider restricting access to the DocumentAnalysisRequestHandler to minimize the risk of exploitation. Avoid using XML data containing external entity declarations in conjunction with entity references until the issue is resolved.