High severityNVD Advisory· Published Apr 9, 2018· Updated Sep 17, 2024

CVE-2018-1308

Description

This vulnerability in Apache Solr 1.2 to 6.6.2 and 7.0.0 to 7.2.1 relates to an XML external entity expansion (XXE) in the &dataConfig= parameter of Solr's DataImportHandler. It can be used as XXE using file/ftp/http protocols in order to read arbitrary local files from the Solr server or the internal network.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Apache Solr before 6.6.3 and 7.3.0 allows XXE via DataImportHandler's dataConfig parameter to read local files.

Vulnerability

This XML External Entity (XXE) vulnerability resides in the DataImportHandler component of Apache Solr, affecting versions 1.2 through 6.6.2 and 7.0.0 through 7.2.1 [1]. The bug is triggered when user-supplied inline XML is passed via the &dataConfig= request parameter. In the loadDataConfig method of DataImportHandler, the XML parser is not configured to disable external entity processing, allowing an attacker to define external entities that reference local files or network resources [2][3].

Exploitation

An attacker must have network access to a Solr instance where the DataImportHandler is exposed (commonly via the /dataimport handler or through the Solr Admin UI). The attacker crafts an HTTP request containing a malicious dataConfig parameter with an inline XML payload that includes a DOCTYPE declaration referencing an external entity. The entity can use file, ftp, or http protocols to read arbitrary files from the Solr server filesystem or from internal network endpoints [1][4]. No authentication is required if the handler is publicly accessible.

Impact

Successful exploitation allows an attacker to read any file that the Solr server process can access, such as configuration files, keystores, or sensitive application data. This can lead to disclosure of credentials, encryption keys, or other confidential information, potentially enabling further attacks on the Solr cluster or connected systems [1][4]. The impact is confined to information disclosure; no remote code execution is described in the references.

Mitigation

Apache Solr fixed this vulnerability in versions 6.6.3 and 7.3.0 [2][3]. The fix introduces EmptyEntityResolver and disables xinclude for inline XML sources. Users should upgrade to the latest patched version. If upgrading is not feasible, organizations should restrict network access to the DataImportHandler endpoint or disable the handler entirely. The vulnerability is not listed on the CISA KEV as of the writing date [1].

References

AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
org.apache.solr:solr-coreMaven	>= 1.2, < 6.6.3	6.6.3
org.apache.solr:solr-coreMaven	>= 7.0.0, < 7.3.0	7.3.0

Affected products

ghsa-coords
pkg:maven/org.apache.solr/solr-core
Range: >= 1.2, < 6.6.3
Apache Software Foundation/Apache Solrv5
Range: 1.2 to 6.6.2

Patches

3530397f1777

SOLR-11971: Add CVE number: CVE-2018-1308

https://github.com/apache/lucene-solrUwe SchindlerApr 8, 2018via ghsa

commit

1 file changed · +1 −1

solr/CHANGES.txt+1 −1 modified

@@ -386,7 +386,7 @@ Bug Fixes
 
 * SOLR-11988: Fix exists() method in EphemeralDirectoryFactory/MockDirectoryFactory to prevent false positives (hossman)
 
-* SOLR-11971: Don't allow referal to external resources in DataImportHandler's dataConfig request parameter.
+* SOLR-11971: Don't allow referal to external resources in DataImportHandler's dataConfig request parameter (CVE-2018-1308).
   (麦 香浓郁, Uwe Schindler)
 
 * SOLR-12021: Fixed a bug in ApiSpec and other JSON resource loading that was causing unclosed file handles (hossman)

dd3be31f7062

SOLR-11971: Don't allow referal to external resources in DataImportHandler's dataConfig request parameter

https://github.com/apache/lucene-solrUwe SchindlerFeb 18, 2018via ghsa

commit

3 files changed · +37 −6

solr/CHANGES.txt+4 −2 modified

@@ -29,9 +29,11 @@ Apache UIMA 2.3.1
 Apache ZooKeeper 3.4.10
 Jetty 9.3.14.v20161028
 
+Bug Fixes
+----------------------
 
-(No Changes)
-
+* SOLR-11971: Don't allow referal to external resources in DataImportHandler's dataConfig request parameter.
+  (麦 香浓郁, Uwe Schindler)
 
 ==================  6.6.2 ==================

solr/contrib/dataimporthandler/src/java/org/apache/solr/handler/dataimport/DataImporter.java+13 −4 modified

@@ -16,6 +16,7 @@
  */
 package org.apache.solr.handler.dataimport;
 
+import org.apache.solr.common.EmptyEntityResolver;
 import org.apache.solr.common.SolrException;
 import org.apache.solr.core.SolrCore;
 import org.apache.solr.schema.IndexSchema;
@@ -178,11 +179,11 @@ public IndexSchema getSchema() {
   /**
    * Used by tests
    */
-  public void loadAndInit(String configStr) {
+  void loadAndInit(String configStr) {
     config = loadDataConfig(new InputSource(new StringReader(configStr)));
   }
 
-  public void loadAndInit(InputSource configFile) {
+  void loadAndInit(InputSource configFile) {
     config = loadDataConfig(configFile);
   }
 
@@ -191,8 +192,10 @@ public DIHConfiguration loadDataConfig(InputSource configFile) {
     DIHConfiguration dihcfg = null;
     try {
       DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
+      dbf.setValidating(false);
       
-      // only enable xinclude, if a a SolrCore and SystemId is present (makes no sense otherwise)
+      // only enable xinclude, if XML is coming from safe source (local file)
+      // and a a SolrCore and SystemId is present (makes no sense otherwise):
       if (core != null && configFile.getSystemId() != null) {
         try {
           dbf.setXIncludeAware(true);
@@ -203,8 +206,14 @@ public DIHConfiguration loadDataConfig(InputSource configFile) {
       }
       
       DocumentBuilder builder = dbf.newDocumentBuilder();
-      if (core != null)
+      // only enable xinclude / external entities, if XML is coming from
+      // safe source (local file) and a a SolrCore and SystemId is present:
+      if (core != null && configFile.getSystemId() != null) {
         builder.setEntityResolver(new SystemIdResolver(core.getResourceLoader()));
+      } else {
+        // Don't allow external entities without having a system ID:
+        builder.setEntityResolver(EmptyEntityResolver.SAX_INSTANCE);
+      }
       builder.setErrorHandler(XMLLOG);
       Document document;
       try {

solr/contrib/dataimporthandler/src/test/org/apache/solr/handler/dataimport/TestErrorHandling.java+20 −0 modified

@@ -89,6 +89,13 @@ public void testTransformerErrorContinue() throws Exception {
     assertQ(req("*:*"), "//*[@numFound='3']");
   }
 
+  public void testExternalEntity() throws Exception {
+    StringDataSource.xml = wellformedXml;
+    // This should not fail as external entities are replaced by an empty string during parsing:
+    runFullImport(dataConfigWithEntity);
+    assertQ(req("*:*"), "//*[@numFound='3']");
+  }
+
   public static class StringDataSource extends DataSource<Reader> {
     public static String xml = "";
 
@@ -157,6 +164,19 @@ public Object transformRow(Map<String, Object> row, Context context) {
           "    </document>\n" +
           "</dataConfig>";
 
+  private String dataConfigWithEntity = "<!DOCTYPE dataConfig [\n" + 
+          "  <!ENTITY internalTerm \"node\">\n" + 
+          "  <!ENTITY externalTerm SYSTEM \"foo://bar.xyz/external\">\n" + 
+          "]><dataConfig>\n" +
+          "    <dataSource name=\"str\" type=\"TestErrorHandling$StringDataSource\" />" +
+          "    <document>\n" +
+          "        <entity name=\"&internalTerm;\" dataSource=\"str\" processor=\"XPathEntityProcessor\" url=\"test\" forEach=\"/root/node\" onError=\"skip\">\n" +
+          "            <field column=\"id\" xpath=\"/root/node/id\">&externalTerm;</field>\n" +
+          "            <field column=\"desc\" xpath=\"/root/node/desc\" />\n" +
+          "        </entity>\n" +
+          "    </document>\n" +
+          "</dataConfig>";
+
   private String malformedXml = "<root>\n" +
           "    <node>\n" +
           "        <id>1</id>\n" +

739a7933

SOLR-11971: Don't allow referal to external resources in DataImportHandler's dataConfig request parameter

https://github.com/apache/lucene-solrUwe SchindlerFeb 18, 2018via ghsa

commit

3 files changed · +36 −4

solr/CHANGES.txt+3 −0 modified

@@ -194,6 +194,9 @@ Bug Fixes
 
 * SOLR-11988: Fix exists() method in EphemeralDirectoryFactory/MockDirectoryFactory to prevent false positives (hossman)
 
+* SOLR-11971: Don't allow referal to external resources in DataImportHandler's dataConfig request parameter.
+  (麦 香浓郁, Uwe Schindler)
+
 Optimizations
 ----------------------

solr/contrib/dataimporthandler/src/java/org/apache/solr/handler/dataimport/DataImporter.java+13 −4 modified

@@ -16,6 +16,7 @@
  */
 package org.apache.solr.handler.dataimport;
 
+import org.apache.solr.common.EmptyEntityResolver;
 import org.apache.solr.common.SolrException;
 import org.apache.solr.core.SolrCore;
 import org.apache.solr.schema.IndexSchema;
@@ -178,11 +179,11 @@ public IndexSchema getSchema() {
   /**
    * Used by tests
    */
-  public void loadAndInit(String configStr) {
+  void loadAndInit(String configStr) {
     config = loadDataConfig(new InputSource(new StringReader(configStr)));
   }
 
-  public void loadAndInit(InputSource configFile) {
+  void loadAndInit(InputSource configFile) {
     config = loadDataConfig(configFile);
   }
 
@@ -191,8 +192,10 @@ public DIHConfiguration loadDataConfig(InputSource configFile) {
     DIHConfiguration dihcfg = null;
     try {
       DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
+      dbf.setValidating(false);
       
-      // only enable xinclude, if a a SolrCore and SystemId is present (makes no sense otherwise)
+      // only enable xinclude, if XML is coming from safe source (local file)
+      // and a a SolrCore and SystemId is present (makes no sense otherwise):
       if (core != null && configFile.getSystemId() != null) {
         try {
           dbf.setXIncludeAware(true);
@@ -203,8 +206,14 @@ public DIHConfiguration loadDataConfig(InputSource configFile) {
       }
       
       DocumentBuilder builder = dbf.newDocumentBuilder();
-      if (core != null)
+      // only enable xinclude / external entities, if XML is coming from
+      // safe source (local file) and a a SolrCore and SystemId is present:
+      if (core != null && configFile.getSystemId() != null) {
         builder.setEntityResolver(new SystemIdResolver(core.getResourceLoader()));
+      } else {
+        // Don't allow external entities without having a system ID:
+        builder.setEntityResolver(EmptyEntityResolver.SAX_INSTANCE);
+      }
       builder.setErrorHandler(XMLLOG);
       Document document;
       try {

solr/contrib/dataimporthandler/src/test/org/apache/solr/handler/dataimport/TestErrorHandling.java+20 −0 modified

@@ -89,6 +89,13 @@ public void testTransformerErrorContinue() throws Exception {
     assertQ(req("*:*"), "//*[@numFound='3']");
   }
 
+  public void testExternalEntity() throws Exception {
+    StringDataSource.xml = wellformedXml;
+    // This should not fail as external entities are replaced by an empty string during parsing:
+    runFullImport(dataConfigWithEntity);
+    assertQ(req("*:*"), "//*[@numFound='3']");
+  }
+
   public static class StringDataSource extends DataSource<Reader> {
     public static String xml = "";
 
@@ -157,6 +164,19 @@ public Object transformRow(Map<String, Object> row, Context context) {
           "    </document>\n" +
           "</dataConfig>";
 
+  private String dataConfigWithEntity = "<!DOCTYPE dataConfig [\n" + 
+          "  <!ENTITY internalTerm \"node\">\n" + 
+          "  <!ENTITY externalTerm SYSTEM \"foo://bar.xyz/external\">\n" + 
+          "]><dataConfig>\n" +
+          "    <dataSource name=\"str\" type=\"TestErrorHandling$StringDataSource\" />" +
+          "    <document>\n" +
+          "        <entity name=\"&internalTerm;\" dataSource=\"str\" processor=\"XPathEntityProcessor\" url=\"test\" forEach=\"/root/node\" onError=\"skip\">\n" +
+          "            <field column=\"id\" xpath=\"/root/node/id\">&externalTerm;</field>\n" +
+          "            <field column=\"desc\" xpath=\"/root/node/desc\" />\n" +
+          "        </entity>\n" +
+          "    </document>\n" +
+          "</dataConfig>";
+
   private String malformedXml = "<root>\n" +
           "    <node>\n" +
           "        <id>1</id>\n" +

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-3pph-2595-cgfhghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2018-1308ghsaADVISORY
www.debian.org/security/2018/dsa-4194ghsavendor-advisoryx_refsource_DEBIANWEB
github.com/apache/lucene-solr/commit/3530397f1777332872eac2760f9aa0e2ae1d7450ghsaWEB
github.com/apache/lucene-solr/commit/739a7933ghsaWEB
github.com/apache/lucene-solr/commit/dd3be31f7062dcb2f3b2d7f0e89df29e197dee63ghsaWEB
issues.apache.org/jira/browse/SOLR-11971ghsax_refsource_CONFIRMWEB
lists.apache.org/thread.html/708d94141126eac03011144a971a6411fcac16d9c248d1d535a39451%40%3Csolr-user.lucene.apache.org%3Emitremailing-listx_refsource_MLIST
lists.apache.org/thread.html/708d94141126eac03011144a971a6411fcac16d9c248d1d535a39451@%3Csolr-user.lucene.apache.org%3EghsaWEB
lists.debian.org/debian-lts-announce/2018/04/msg00025.htmlghsamailing-listx_refsource_MLISTWEB
mail-archives.apache.org/mod_mbox/www-announce/201804.mbox/%3C000001d3cf68%245ac69af0%241053d0d0%24%40apache.org%3Eghsamailing-listx_refsource_MLISTWEB

News mentions

No linked articles in our index yet.

cvss	0.455
epss	0.003
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000