Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-wke8-9ysk-akc2
Vulnerability ID VCID-wke8-9ysk-akc2
Aliases CVE-2013-6397
GHSA-j8qw-mwmv-28cg
Summary Directory traversal vulnerability in SolrResourceLoader in Apache Solr before 4.6 allows remote attackers to read arbitrary files via a .. (dot dot) or full pathname in the tr parameter to solr/select/, when the response writer (wt parameter) is set to XSLT. NOTE: this can be leveraged using a separate XXE (XML eXternal Entity) vulnerability to allow access to files across restricted network boundaries.
Status Published
Exploitability 2.0
Weighted Severity 6.2
Risk 10.0
Affected and Fixed Packages Package Details
Weaknesses (3)
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
generic_textual MODERATE http://lucene.apache.org/solr/4_6_0/changes/Changes.html
generic_textual MODERATE http://rhn.redhat.com/errata/RHSA-2013-1844.html
generic_textual MODERATE http://rhn.redhat.com/errata/RHSA-2014-0029.html
epss 0.92173 https://api.first.org/data/v1/epss?cve=CVE-2013-6397
epss 0.92173 https://api.first.org/data/v1/epss?cve=CVE-2013-6397
epss 0.92173 https://api.first.org/data/v1/epss?cve=CVE-2013-6397
epss 0.92173 https://api.first.org/data/v1/epss?cve=CVE-2013-6397
epss 0.92173 https://api.first.org/data/v1/epss?cve=CVE-2013-6397
cvssv3.1_qr MODERATE https://github.com/advisories/GHSA-j8qw-mwmv-28cg
generic_textual MODERATE https://github.com/apache/lucene-solr
generic_textual MODERATE https://github.com/apache/lucene-solr/commit/da34b18cb3092df4972e2b6fa5178d1059923910
generic_textual MODERATE https://issues.apache.org/jira/browse/SOLR-4882
generic_textual MODERATE https://nvd.nist.gov/vuln/detail/CVE-2013-6397
generic_textual MODERATE https://web.archive.org/web/20170307173358/http://www.securityfocus.com/bid/63935
generic_textual MODERATE http://www.agarri.fr/kom/archives/2013/11/27/compromising_an_unreachable_solr_server_with_cve-2013-6397/index.html
generic_textual MODERATE http://www.openwall.com/lists/oss-security/2013/11/27/1
Reference id Reference type URL
http://lucene.apache.org/solr/4_6_0/changes/Changes.html
http://rhn.redhat.com/errata/RHSA-2013-1844.html
http://rhn.redhat.com/errata/RHSA-2014-0029.html
https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2013-6397.json
https://api.first.org/data/v1/epss?cve=CVE-2013-6397
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-6612
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6397
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6407
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6408
https://github.com/apache/lucene-solr
https://github.com/apache/lucene-solr/commit/da34b18cb3092df4972e2b6fa5178d1059923910
https://issues.apache.org/jira/browse/SOLR-4882
https://nvd.nist.gov/vuln/detail/CVE-2013-6397
https://web.archive.org/web/20170307173358/http://www.securityfocus.com/bid/63935
http://www.agarri.fr/kom/archives/2013/11/27/compromising_an_unreachable_solr_server_with_cve-2013-6397/index.html
http://www.openwall.com/lists/oss-security/2013/11/27/1
1035062 https://bugzilla.redhat.com/show_bug.cgi?id=1035062
731113 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=731113
CVE-2013-6397 https://bugzilla.redhat.com/CVE-2013-6397
GHSA-j8qw-mwmv-28cg https://github.com/advisories/GHSA-j8qw-mwmv-28cg
RHSA-2013:1844 https://access.redhat.com/errata/RHSA-2013:1844
RHSA-2014:0029 https://access.redhat.com/errata/RHSA-2014:0029
No exploits are available.
Exploit Prediction Scoring System (EPSS)
Percentile 0.99708
EPSS Score 0.92173
Published At April 2, 2026, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2026-04-01T12:38:18.951862+00:00 ProjectKB MSRImporter Import https://raw.githubusercontent.com/SAP/project-kb/master/MSR2019/dataset/vulas_db_msr2019_release.csv 38.0.0