RobertHathaway created SOLR-13109:
-------------------------------------
Summary: CVE-2015-1832 Against Solr v7.6
Key: SOLR-13109
URL: https://issues.apache.org/jira/browse/SOLR-13109
Project: Solr
Issue Type: Bug
Security Level: Public (Default Security Level. Issues are Public)
Affects Versions: 7.6
Environment: RedHat Linux. May run from RHEL versions 5, 6 or 7 but
this issue is from Sonatype component scan and should be independent of Linux
platform version.
Reporter: RobertHathaway
Threat Level 9/Critical from Sonatype Applicatiuon Composition Report run Of
Solr - 7.6.0, Using Scanner 1.56.0-01. Enterprise security won't allow us to
move past Solr 6.5 unless this is fixed or somehow remediated. Lots of issues
in Solr 7.1 also, may be best to move to latest Solr.
h2. CVE-2015-1832 Detail
h3. Current Description
XML external entity (XXE) vulnerability in the SqlXmlUtil code in Apache Derby
before 10.12.1.1, when a Java Security Manager is not in place, allows
context-dependent attackers to read arbitrary files or cause a denial of
service (resource consumption) via vectors involving XmlVTI and the XML
datatype.
h3. Impact
*CVSS v3.0 Severity and Metrics:*
*Base Score:* [ 9.1 CRITICAL
|https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?name=CVE-2015-1832&vector=AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H]
*Vector:* AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H ([V3
legend|https://www.first.org/cvss/specification-document])
*Impact Score:* 5.2
*Exploitability Score:* 3.9
https://nvd.nist.gov/vuln/detail/CVE-2015-1832
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
