{"id":"CVE-2019-12401","details":"Solr versions 1.3.0 to 1.4.1, 3.1.0 to 3.6.2 and 4.0.0 to 4.10.4 are vulnerable to an XML resource consumption attack (a.k.a. Lol Bomb) via it’s update handler.?By leveraging XML DOCTYPE and ENTITY type elements, the attacker can create a pattern that will expand when the server parses the XML causing OOMs.","aliases":["GHSA-jq2w-w7v2-69q5"],"modified":"2026-04-10T04:14:27.406726Z","published":"2019-09-10T15:15:11.737Z","references":[{"type":"WEB","url":"https://lists.apache.org/thread.html/521d10a19bfb590f86dff41820ccfb11e92281f233a12c882650931e%40%3Cdev.lucene.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/60a924662ead9aeea74e8ea128d9ca935f8de925aa71b15ab2787d6a%40%3Csolr-user.lucene.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/7ab5e95a1a0b4f35ffe53f1eb0cb74b4348b49d41b72ac155b843fa2%40%3Cgeneral.lucene.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/db8eaca456d03c00a66cbe37548978318d424b9997e3fd7f5c65dffe%40%3Cdev.lucene.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/048ae6e4f84a88e8856f766320b48ad91f9fca2c6f621aa2c40088fe%40%3Cdev.lucene.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/0ec231c5ed8d242890e21806d25fdd47f80cc47cac278d2fc1c9c579%40%3Cdev.lucene.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/1c92300643f48f13bc59b15e3f886ba62bae1798c7d4c2e5c1ece09b%40%3Cannounce.apache.org%3E"},{"type":"ADVISORY","url":"http://www.openwall.com/lists/oss-security/2019/09/10/1"},{"type":"ADVISORY","url":"https://security.netapp.com/advisory/ntap-20190926-0002/"},{"type":"ADVISORY","url":"http://mail-archives.us.apache.org/mod_mbox/www-announce/201909.mbox/%3CCAECwjAXU4%3DkAo5DeUJw7Kvk67sgCmajAN7LGZQNjbjZ8gv%3DBdw%40mail.gmail.com%3E"},{"type":"EVIDENCE","url":"https://github.com/DrunkenShells/Disclosures/tree/master/CVE-2019-12401-XML%20Bomb-Apache%20Solr"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/apache/lucene-solr","events":[{"introduced":"6de56f9cbd200a23df974e7bcc2957c4526d7283"},{"last_affected":"7012c5edf194729031cea4d788597367543f5ead"},{"introduced":"c64739498056fd5c03acd76077b25de41a38075b"},{"last_affected":"8670d0078251adaba093d64dba76317e46ae6ac9"},{"introduced":"30b22298bacb5238437864128bc9005d49d0d3ed"},{"last_affected":"69175ad4fe8d224ad6a348d05f686105999a92e8"}],"database_specific":{"versions":[{"introduced":"1.3.0"},{"last_affected":"1.4.1"},{"introduced":"3.1"},{"last_affected":"3.6.2"},{"introduced":"4.0.0"},{"last_affected":"4.10.4"}]}}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2019-12401.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}]}