GHSA-jq2w-w7v2-69q5
Suggest an improvement- Source
- https://github.com/advisories/GHSA-jq2w-w7v2-69q5
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-jq2w-w7v2-69q5/GHSA-jq2w-w7v2-69q5.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-jq2w-w7v2-69q5
- Aliases
- Published
- 2022-05-24T22:00:29Z
- Modified
- 2024-02-21T05:33:21.582986Z
- Severity
-
- 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
- Summary
- Apache Solr vulnerable to XML Bomb
- Details
-
Solr versions prior to 5.0.0 are vulnerable to an XML resource consumption attack (a.k.a. Lol Bomb) via it?s update handler.?By leveraging XML DOCTYPE and ENTITY type elements, the attacker can create a pattern that will expand when the server parses the XML causing OOMs.
- Database specific
{ "nvd_published_at": "2019-09-10T15:15:00Z", "cwe_ids": [ "CWE-776" ], "severity": "HIGH", "github_reviewed": true, "github_reviewed_at": "2022-11-08T13:23:13Z" }- References
-
- https://nvd.nist.gov/vuln/detail/CVE-2019-12401
- https://github.com/DrunkenShells/Disclosures/tree/master/CVE-2019-12401-XML%20Bomb-Apache%20Solr
- https://issues.apache.org/jira/browse/SOLR-13750
- https://lists.apache.org/thread.html/048ae6e4f84a88e8856f766320b48ad91f9fca2c6f621aa2c40088fe@%3Cdev.lucene.apache.org%3E
- https://lists.apache.org/thread.html/0ec231c5ed8d242890e21806d25fdd47f80cc47cac278d2fc1c9c579@%3Cdev.lucene.apache.org%3E
- https://lists.apache.org/thread.html/1c92300643f48f13bc59b15e3f886ba62bae1798c7d4c2e5c1ece09b@%3Cannounce.apache.org%3E
- https://lists.apache.org/thread.html/521d10a19bfb590f86dff41820ccfb11e92281f233a12c882650931e@%3Cdev.lucene.apache.org%3E
- https://lists.apache.org/thread.html/60a924662ead9aeea74e8ea128d9ca935f8de925aa71b15ab2787d6a@%3Csolr-user.lucene.apache.org%3E
- https://lists.apache.org/thread.html/7ab5e95a1a0b4f35ffe53f1eb0cb74b4348b49d41b72ac155b843fa2@%3Cgeneral.lucene.apache.org%3E
- https://lists.apache.org/thread.html/db8eaca456d03c00a66cbe37548978318d424b9997e3fd7f5c65dffe@%3Cdev.lucene.apache.org%3E
- https://security.netapp.com/advisory/ntap-20190926-0002
- http://mail-archives.us.apache.org/mod_mbox/www-announce/201909.mbox/%3CCAECwjAXU4%3DkAo5DeUJw7Kvk67sgCmajAN7LGZQNjbjZ8gv%3DBdw%40mail.gmail.com%3E
- http://www.openwall.com/lists/oss-security/2019/09/10/1
Affected packages
Maven / org.apache.solr:solr-core
Package
- Name
- org.apache.solr:solr-core
- View open source insights on deps.dev
- Purl
- pkg:maven/org.apache.solr/solr-core