{"url":"http://public2.vulnerablecode.io/api/packages/568686?format=json","purl":"pkg:maven/org.apache.solr/solr-core@3.1","type":"maven","namespace":"org.apache.solr","name":"solr-core","version":"3.1","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"9.10.1","latest_non_vulnerable_version":"9.10.1","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/55884?format=json","vulnerability_id":"VCID-zfk3-8kt1-gbbw","summary":"Apache Solr  vulnerable to XML Bomb\nSolr versions prior to 5.0.0 are vulnerable to an XML resource consumption attack (a.k.a. Lol Bomb) via it?s update handler.?By leveraging XML DOCTYPE and ENTITY type elements, the attacker can create a pattern that will expand when the server parses the XML causing OOMs.","references":[{"reference_url":"http://mail-archives.us.apache.org/mod_mbox/www-announce/201909.mbox/%3CCAECwjAXU4%3DkAo5DeUJw7Kvk67sgCmajAN7LGZQNjbjZ8gv%3DBdw%40mail.gmail.com%3E","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://mail-archives.us.apache.org/mod_mbox/www-announce/201909.mbox/%3CCAECwjAXU4%3DkAo5DeUJw7Kvk67sgCmajAN7LGZQNjbjZ8gv%3DBdw%40mail.gmail.com%3E"},{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2019-12401.json","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2019-12401.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2019-12401","reference_id":"","reference_type":"","scores":[{"value":"0.32768","scoring_system":"epss","scoring_elements":"0.96872","published_at":"2026-04-09T12:55:00Z"},{"value":"0.32768","scoring_system":"epss","scoring_elements":"0.96935","published_at":"2026-05-15T12:55:00Z"},{"value":"0.32768","scoring_system":"epss","scoring_elements":"0.96892","published_at":"2026-04-24T12:55:00Z"},{"value":"0.32768","scoring_system":"epss","scoring_elements":"0.96889","published_at":"2026-04-18T12:55:00Z"},{"value":"0.32768","scoring_system":"epss","scoring_elements":"0.96885","published_at":"2026-04-16T12:55:00Z"},{"value":"0.32768","scoring_system":"epss","scoring_elements":"0.96878","published_at":"2026-04-13T12:55:00Z"},{"value":"0.32768","scoring_system":"epss","scoring_elements":"0.96848","published_at":"2026-04-01T12:55:00Z"},{"value":"0.32768","scoring_system":"epss","scoring_elements":"0.96876","published_at":"2026-04-12T12:55:00Z"},{"value":"0.32768","scoring_system":"epss","scoring_elements":"0.96855","published_at":"2026-04-02T12:55:00Z"},{"value":"0.32768","scoring_system":"epss","scoring_elements":"0.96858","published_at":"2026-04-04T12:55:00Z"},{"value":"0.32768","scoring_system":"epss","scoring_elements":"0.96862","published_at":"2026-04-07T12:55:00Z"},{"value":"0.32768","scoring_system":"epss","scoring_elements":"0.96871","published_at":"2026-04-08T12:55:00Z"},{"value":"0.32768","scoring_system":"epss","scoring_elements":"0.96875","published_at":"2026-04-11T12:55:00Z"},{"value":"0.32768","scoring_system":"epss","scoring_elements":"0.96933","published_at":"2026-05-14T12:55:00Z"},{"value":"0.32768","scoring_system":"epss","scoring_elements":"0.96922","published_at":"2026-05-12T12:55:00Z"},{"value":"0.32768","scoring_system":"epss","scoring_elements":"0.96915","published_at":"2026-05-11T12:55:00Z"},{"value":"0.32768","scoring_system":"epss","scoring_elements":"0.96913","published_at":"2026-05-09T12:55:00Z"},{"value":"0.32768","scoring_system":"epss","scoring_elements":"0.96907","published_at":"2026-05-07T12:55:00Z"},{"value":"0.32768","scoring_system":"epss","scoring_elements":"0.96903","published_at":"2026-05-05T12:55:00Z"},{"value":"0.32768","scoring_system":"epss","scoring_elements":"0.96897","published_at":"2026-04-29T12:55:00Z"},{"value":"0.32768","scoring_system":"epss","scoring_elements":"0.96894","published_at":"2026-04-26T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2019-12401"},{"reference_url":"https://github.com/DrunkenShells/Disclosures/tree/master/CVE-2019-12401-XML%20Bomb-Apache%20Solr","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/DrunkenShells/Disclosures/tree/master/CVE-2019-12401-XML%20Bomb-Apache%20Solr"},{"reference_url":"https://issues.apache.org/jira/browse/SOLR-13750","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://issues.apache.org/jira/browse/SOLR-13750"},{"reference_url":"https://lists.apache.org/thread.html/048ae6e4f84a88e8856f766320b48ad91f9fca2c6f621aa2c40088fe@%3Cdev.lucene.apache.org%3E","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread.html/048ae6e4f84a88e8856f766320b48ad91f9fca2c6f621aa2c40088fe@%3Cdev.lucene.apache.org%3E"},{"reference_url":"https://lists.apache.org/thread.html/048ae6e4f84a88e8856f766320b48ad91f9fca2c6f621aa2c40088fe%40%3Cdev.lucene.apache.org%3E","reference_id":"","reference_type":"","scores":[],"url":"https://lists.apache.org/thread.html/048ae6e4f84a88e8856f766320b48ad91f9fca2c6f621aa2c40088fe%40%3Cdev.lucene.apache.org%3E"},{"reference_url":"https://lists.apache.org/thread.html/0ec231c5ed8d242890e21806d25fdd47f80cc47cac278d2fc1c9c579@%3Cdev.lucene.apache.org%3E","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread.html/0ec231c5ed8d242890e21806d25fdd47f80cc47cac278d2fc1c9c579@%3Cdev.lucene.apache.org%3E"},{"reference_url":"https://lists.apache.org/thread.html/0ec231c5ed8d242890e21806d25fdd47f80cc47cac278d2fc1c9c579%40%3Cdev.lucene.apache.org%3E","reference_id":"","reference_type":"","scores":[],"url":"https://lists.apache.org/thread.html/0ec231c5ed8d242890e21806d25fdd47f80cc47cac278d2fc1c9c579%40%3Cdev.lucene.apache.org%3E"},{"reference_url":"https://lists.apache.org/thread.html/1c92300643f48f13bc59b15e3f886ba62bae1798c7d4c2e5c1ece09b@%3Cannounce.apache.org%3E","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread.html/1c92300643f48f13bc59b15e3f886ba62bae1798c7d4c2e5c1ece09b@%3Cannounce.apache.org%3E"},{"reference_url":"https://lists.apache.org/thread.html/1c92300643f48f13bc59b15e3f886ba62bae1798c7d4c2e5c1ece09b%40%3Cannounce.apache.org%3E","reference_id":"","reference_type":"","scores":[],"url":"https://lists.apache.org/thread.html/1c92300643f48f13bc59b15e3f886ba62bae1798c7d4c2e5c1ece09b%40%3Cannounce.apache.org%3E"},{"reference_url":"https://lists.apache.org/thread.html/521d10a19bfb590f86dff41820ccfb11e92281f233a12c882650931e@%3Cdev.lucene.apache.org%3E","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread.html/521d10a19bfb590f86dff41820ccfb11e92281f233a12c882650931e@%3Cdev.lucene.apache.org%3E"},{"reference_url":"https://lists.apache.org/thread.html/521d10a19bfb590f86dff41820ccfb11e92281f233a12c882650931e%40%3Cdev.lucene.apache.org%3E","reference_id":"","reference_type":"","scores":[],"url":"https://lists.apache.org/thread.html/521d10a19bfb590f86dff41820ccfb11e92281f233a12c882650931e%40%3Cdev.lucene.apache.org%3E"},{"reference_url":"https://lists.apache.org/thread.html/60a924662ead9aeea74e8ea128d9ca935f8de925aa71b15ab2787d6a@%3Csolr-user.lucene.apache.org%3E","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread.html/60a924662ead9aeea74e8ea128d9ca935f8de925aa71b15ab2787d6a@%3Csolr-user.lucene.apache.org%3E"},{"reference_url":"https://lists.apache.org/thread.html/60a924662ead9aeea74e8ea128d9ca935f8de925aa71b15ab2787d6a%40%3Csolr-user.lucene.apache.org%3E","reference_id":"","reference_type":"","scores":[],"url":"https://lists.apache.org/thread.html/60a924662ead9aeea74e8ea128d9ca935f8de925aa71b15ab2787d6a%40%3Csolr-user.lucene.apache.org%3E"},{"reference_url":"https://lists.apache.org/thread.html/7ab5e95a1a0b4f35ffe53f1eb0cb74b4348b49d41b72ac155b843fa2@%3Cgeneral.lucene.apache.org%3E","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread.html/7ab5e95a1a0b4f35ffe53f1eb0cb74b4348b49d41b72ac155b843fa2@%3Cgeneral.lucene.apache.org%3E"},{"reference_url":"https://lists.apache.org/thread.html/7ab5e95a1a0b4f35ffe53f1eb0cb74b4348b49d41b72ac155b843fa2%40%3Cgeneral.lucene.apache.org%3E","reference_id":"","reference_type":"","scores":[],"url":"https://lists.apache.org/thread.html/7ab5e95a1a0b4f35ffe53f1eb0cb74b4348b49d41b72ac155b843fa2%40%3Cgeneral.lucene.apache.org%3E"},{"reference_url":"https://lists.apache.org/thread.html/db8eaca456d03c00a66cbe37548978318d424b9997e3fd7f5c65dffe@%3Cdev.lucene.apache.org%3E","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread.html/db8eaca456d03c00a66cbe37548978318d424b9997e3fd7f5c65dffe@%3Cdev.lucene.apache.org%3E"},{"reference_url":"https://lists.apache.org/thread.html/db8eaca456d03c00a66cbe37548978318d424b9997e3fd7f5c65dffe%40%3Cdev.lucene.apache.org%3E","reference_id":"","reference_type":"","scores":[],"url":"https://lists.apache.org/thread.html/db8eaca456d03c00a66cbe37548978318d424b9997e3fd7f5c65dffe%40%3Cdev.lucene.apache.org%3E"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2019-12401","reference_id":"","reference_type":"","scores":[{"value":"5.0","scoring_system":"cvssv2","scoring_elements":"AV:N/AC:L/Au:N/C:N/I:N/A:P"},{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2019-12401"},{"reference_url":"https://security.netapp.com/advisory/ntap-20190926-0002","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://security.netapp.com/advisory/ntap-20190926-0002"},{"reference_url":"https://security.netapp.com/advisory/ntap-20190926-0002/","reference_id":"","reference_type":"","scores":[],"url":"https://security.netapp.com/advisory/ntap-20190926-0002/"},{"reference_url":"http://www.openwall.com/lists/oss-security/2019/09/10/1","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.openwall.com/lists/oss-security/2019/09/10/1"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=1789513","reference_id":"1789513","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=1789513"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:solr:*:*:*:*:*:*:*:*","reference_id":"cpe:2.3:a:apache:solr:*:*:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:solr:*:*:*:*:*:*:*:*"},{"reference_url":"https://github.com/advisories/GHSA-jq2w-w7v2-69q5","reference_id":"GHSA-jq2w-w7v2-69q5","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-jq2w-w7v2-69q5"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/149203?format=json","purl":"pkg:maven/org.apache.solr/solr-core@4.0.0-ALPHA","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-3f1v-ypty-mygx"},{"vulnerability":"VCID-3vmh-e7x6-3kf6"},{"vulnerability":"VCID-4dgs-1mk2-5ubr"},{"vulnerability":"VCID-5781-s1ny-q7ey"},{"vulnerability":"VCID-5esr-zs91-zbb5"},{"vulnerability":"VCID-5tq3-rye7-nygg"},{"vulnerability":"VCID-a4yf-9j54-e3cp"},{"vulnerability":"VCID-f12j-fvhp-quec"},{"vulnerability":"VCID-ftx3-494m-hbee"},{"vulnerability":"VCID-h9gm-dpgv-2yeh"},{"vulnerability":"VCID-ke61-vddr-4udk"},{"vulnerability":"VCID-rym5-bjyc-nybu"},{"vulnerability":"VCID-tt7h-4geu-5bc9"},{"vulnerability":"VCID-v5ka-6bd4-33ft"},{"vulnerability":"VCID-vvt2-qyef-3fa6"},{"vulnerability":"VCID-wke8-9ysk-akc2"},{"vulnerability":"VCID-xypj-xu8p-gkbs"},{"vulnerability":"VCID-zrn1-s7ht-pbdt"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.solr/solr-core@4.0.0-ALPHA"},{"url":"http://public2.vulnerablecode.io/api/packages/20485?format=json","purl":"pkg:maven/org.apache.solr/solr-core@5.0.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-3vmh-e7x6-3kf6"},{"vulnerability":"VCID-4dgs-1mk2-5ubr"},{"vulnerability":"VCID-5781-s1ny-q7ey"},{"vulnerability":"VCID-5esr-zs91-zbb5"},{"vulnerability":"VCID-a4yf-9j54-e3cp"},{"vulnerability":"VCID-f12j-fvhp-quec"},{"vulnerability":"VCID-ftx3-494m-hbee"},{"vulnerability":"VCID-h9gm-dpgv-2yeh"},{"vulnerability":"VCID-jugm-3s3r-8kf8"},{"vulnerability":"VCID-ke61-vddr-4udk"},{"vulnerability":"VCID-tt7h-4geu-5bc9"},{"vulnerability":"VCID-v5ka-6bd4-33ft"},{"vulnerability":"VCID-vvt2-qyef-3fa6"},{"vulnerability":"VCID-xypj-xu8p-gkbs"},{"vulnerability":"VCID-z2u5-9szx-vyax"},{"vulnerability":"VCID-zrn1-s7ht-pbdt"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.solr/solr-core@5.0.0"}],"aliases":["CVE-2019-12401","GHSA-jq2w-w7v2-69q5"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-zfk3-8kt1-gbbw"}],"fixing_vulnerabilities":[],"risk_score":"4.0","resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.solr/solr-core@3.1"}