CVE-2019-12401
Apache Solr vulnerable to XML Bomb
7.5
HIGH
CVSS 3.1
EPSS 32.8%
Description
Solr versions prior to 5.0.0 are vulnerable to an XML resource consumption attack (a.k.a. Lol Bomb) via it?s update handler.?By leveraging XML DOCTYPE and ENTITY type elements, the attacker can create a pattern that will expand when the server parses the XML causing OOMs.
How to fix CVE-2019-12401
To remediate CVE-2019-12401, upgrade the affected package to a fixed version below.
- —upgrade to 5.0.0 or later
Is CVE-2019-12401 being exploited?
Moderate — EPSS is 32.8%. Track this CVE but it's not at the top of the prioritisation list.
Affected packages (1)
- from 0, < 5.0.0
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH7.5 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
References (13)
- ADVISORYnvd.nist.gov/vuln/detail/CVE-2019-12401
- WEBmail-archives.us.apache.org/mod_mbox/www-announce/201909.mbox/%3CCAECwjAXU4%3DkAo5DeUJw7Kvk67sgCmajAN7LGZQNjbjZ8gv%3DBdw%40mail.gmail.com%3E
- WEBgithub.com/DrunkenShells/Disclosures/tree/master/CVE-2019-12401-XML%20Bomb-Apache%20Solr
- WEBissues.apache.org