vulnerability

FreeBSD: VID-e837390d-0ceb-46b8-9b32-29c1195f5dc7 (CVE-2017-12629): solr -- Code execution via entity expansion

Try Surface Command

Back to search

Severity	CVSS	Published	Added	Modified
7	(AV:N/AC:L/Au:N/C:P/I:P/A:P)	Oct 13, 2017	Oct 13, 2017	Dec 10, 2025

Severity

CVSS

(AV:N/AC:L/Au:N/C:P/I:P/A:P)

Published

Oct 13, 2017

Added

Oct 13, 2017

Modified

Dec 10, 2025

Description

Solr developers report: Lucene XML parser does not explicitly prohibit doctype declaration and expansion of external entities which leads to arbitrary HTTP requests to the local SOLR instance and to bypass all firewall restrictions. Solr "RunExecutableListener" class can be used to execute arbitrary commands on specific events, for example after each update query. The problem is that such listener can be enabled with any parameters just by using Config API with add-listener command.

Solution

freebsd-upgrade-package-apache-solr

References

CVE-2017-12629
https://attackerkb.com/topics/CVE-2017-12629
CWE-611

NEW

Explore Exposure Command

Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.

Try it today