Apache Solr is prone to multiple information-disclosure vulnerabilities.
An attacker can exploit these issues to gain access to sensitive information that may lead to further attacks.
Apache Solr versions 6.0.0 through 6.6.4, and 7.0.0 through 7.3.1 are vulnerable.
Information
Apache Solr 7.2.1
Apache Solr 7.0
Apache Solr 6.6.4
Apache Solr 6.6.3
Apache Solr 6.6.2
Apache Solr 6.6.1
Apache Solr 6.6
Apache Solr 6.5.1
Apache Solr 6.5
Apache Solr 6.4
Apache Solr 6.3
Apache Solr 6.2
Apache Solr 7.3
Apache Solr 6.6
Apache Solr 6.3
Apache Solr 6.0
Apache Solr 7.4
Exploit
An attacker can exploit these issues using readily available tools.
References:
- Apache Solr Homepage (Apache)
- Bug 1598621 - (CVE-2018-8026) CVE-2018-8026 solr: XML external entity expansion (Red Hat Bugzilla)
- CVE-2018-8026 (Red Hat Bugzilla)
- CVE-2018-8026: More XXE vulns in code using DocumentBuilder (Apache)
- CVE-2018-8026: XXE vulnerability due to Apache Solr configset upload (Apache)