CVE-2019-12401

NameCVE-2019-12401
DescriptionSolr versions 1.3.0 to 1.4.1, 3.1.0 to 3.6.2 and 4.0.0 to 4.10.4 are vulnerable to an XML resource consumption attack (a.k.a. Lol Bomb) via it?s update handler.?By leveraging XML DOCTYPE and ENTITY type elements, the attacker can create a pattern that will expand when the server parses the XML causing OOMs.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
NVD severitymedium (attack range: remote)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
lucene-solr (PTS)jessie (security), jessie3.6.2+dfsg-5+deb8u2vulnerable
stretch (security), stretch3.6.2+dfsg-10+deb9u2vulnerable
buster3.6.2+dfsg-20vulnerable
bullseye, sid3.6.2+dfsg-21vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
lucene-solrsource(unstable)(unfixed)medium

Notes

https://issues.apache.org/jira/browse/SOLR-13750
https://www.openwall.com/lists/oss-security/2019/09/10/1

Search for package or bug name: Reporting problems