Apache Solr through versions 6.6.2 and 7.2.1 are vulnerable to XML external entity expansion (XXE) in handler/dataimport/DataImporter.java. A remote attacker could exploit this to read arbitrary local files from the vulnerable server. External References: http://www.openwall.com/lists/oss-security/2018/04/08/3 Upstream Issue: https://issues.apache.org/jira/browse/SOLR-11971 Upstream Patch: https://issues.apache.org/jira/secure/attachment/12910207/SOLR-11971.patch
Created solr3 tracking bugs for this issue: Affects: fedora-all [bug 1564960]