Apache Solr versions 6.0.0 to 6.6.3 and 7.0.0 to 7.3.0 have an XML external entity expansion (XXE) vulnerability in config files (solrconfig.xml, schema.xml, managed-schema). An attacker could exploit this to read arbitrary local files from the Solr server or the internal network. External References: http://www.openwall.com/lists/oss-security/2018/05/21/4 Upstream Issue: https://issues.apache.org/jira/browse/SOLR-12316
Created solr3 tracking bugs for this issue: Affects: fedora-all [bug 1581038]