Apache Solr versions before 6.6.4 and 7.3.1 are vulnerable to XML external entity expansion (XXE) in Solr config files. A remote attacker could exploit this by uploading configsets using Solr's API allowing for arbitrary read of files on the Solr server or internal network. External Reference: https://mail-archives.apache.org/mod_mbox/lucene-solr-user/201807.mbox/%3C0cdc01d413b7%24f97ba580%24ec72f080%24%40apache.org%3E Upstream Bug: https://issues.apache.org/jira/browse/SOLR-12450 Upstream Patch: https://issues.apache.org/jira/secure/attachment/12928111/SOLR-12450.patch
Created solr3 tracking bugs for this issue: Affects: fedora-all [bug 1598622]