How severe is CVE-2018-8010?

This vulnerability has a severity rating of MEDIUM with a CVSS score of 5.5 out of 10.

What type of vulnerability is CVE-2018-8010?

This is classified as CWE-611, which is a common weakness in software security.

CVE-2018-8010

MEDIUM Year: 2018

CVSS v3 Score

5.5

Medium

CVSS v2 Score

2.1

Low

Weakness Type

CWE-611

View all →

Vulnerability Description

This vulnerability in Apache Solr 6.0.0 to 6.6.3, 7.0.0 to 7.3.0 relates to an XML external entity expansion (XXE) in Solr config files (solrconfig.xml, schema.xml, managed-schema). In addition, Xinclude functionality provided in these config files is also affected in a similar way. The vulnerability can be used as XXE using file/ftp/http protocols in order to read arbitrary local files from the Solr server or the internal network. Users are advised to upgrade to either Solr 6.6.4 or Solr 7.3.1 releases both of which address the vulnerability. Once upgrade is complete, no other steps are required. Those releases only allow external entities and Xincludes that refer to local files / zookeeper resources below the Solr instance directory (using Solr's ResourceLoader); usage of absolute URLs is denied. Keep in mind, that external entities and XInclude are explicitly supported to better structure config files in large installations. Before Solr 6 this was no problem, as config files were not accessible through the APIs.

CVE-2012-5656

MEDIUM

CVSS:5.5(Medium)

The rasterization process in Inkscape before 0.48.4 allows local users to read arbitrary files via an external entity in a SVG file, aka an XML external entity (XXE) injection attack.

CWE-6112012

CVE-2016-5000

MEDIUM

CVSS:5.5(Medium)

The XLSX2CSV example in Apache POI before 3.14 allows remote attackers to read arbitrary files via a crafted OpenXML document containing an external entity declaration in conjunction with an entity re...

CWE-6112016

CVE-2016-5748

MEDIUM

CVSS:5.5(Medium)

External Entity Processing (XXE) vulnerability in the "risk score" application of NetIQ Access Manager 4.1 before 4.1.2 Hot Fix 1 and 4.2 before 4.2.2 could be used to disclose the content of local fi...

CWE-6112016

CVE-2016-5749

MEDIUM

CVSS:5.5(Medium)

NetIQ Access Manager 4.1 before 4.1.2 HF 1 and 4.2 before 4.2.2 was parsing incoming SAML requests with external entity resolution enabled, which could lead to local file disclosure via an XML Externa...

CWE-6112016

CVE-2016-9318

MEDIUM

CVSS:5.5(Medium)

libxml2 2.9.4 and earlier, as used in XMLSec 1.2.23 and earlier and other products, does not offer a flag directly indicating that the current document may be read but other files may not be opened, w...

CWE-6112016

CVE-2017-15280

MEDIUM

CVSS:5.5(Medium)

XML external entity (XXE) vulnerability in Umbraco CMS before 7.7.3 allows attackers to obtain sensitive information by reading files on the server or sending TCP requests to intranet hosts (aka SSRF)...

CWE-6112017

CVE-2018-8010

Vulnerability Description

Related Vulnerabilities

CVE-2012-5656

CVE-2016-5000

CVE-2016-5748

CVE-2016-5749

CVE-2016-9318

CVE-2017-15280