CVE-2019-12401

Summary

Solr versions 1.3.0 to 1.4.1, 3.1.0 to 3.6.2 and 4.0.0 to 4.10.4 are vulnerable to an XML resource consumption attack (a.k.a. Lol Bomb) via it’s update handler.?By leveraging XML DOCTYPE and ENTITY type elements, the attacker can create a pattern that will expand when the server parses the XML causing OOMs.

Affected Software

VendorProductVersion RangeStatus
ApacheSolr1.3.0 to 1.4.1affected
ApacheSolr3.1.0 to 3.6.2affected
ApacheSolr4.0.0 to 4.10.4affected

Weaknesses

  • XML Entity Expansion

ADP Enrichment

CVE Program Container

Additional References

References