[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"repo-stars":3,"vuln-CVE-2017-12629":6},{"stargazers_count":4,"fetched_at":5},7,"2026-06-05T08:55:32.481Z",{"id":7,"descriptions":8,"cisa":9,"weaknesses":10,"exploits":23,"aliases":47,"duplicate_of":9,"upstream":49,"downstream":50,"duplicates":75,"related":76,"reserved_at":9,"published_at":78,"modified_at":79,"state":80,"summary":81,"references_raw":88,"kevs":252,"epss":253,"epss_history":256,"metrics":450,"affected":461},"CVE-2017-12629","Remote code execution occurs in Apache Solr before 7.1 with Apache Lucene before 7.1 by exploiting XXE in conjunction with use of a Config API add-listener command to reach the RunExecutableListener class. Elasticsearch, although it uses Lucene, is NOT vulnerable to this. Note that the XML external entity expansion vulnerability occurs in the XML Query Parser which is available, by default, for any query request with parameters deftype=xmlparser and can be exploited to upload malicious data to the /upload request handler or as Blind XXE using ftp wrapper in order to read arbitrary local files from the Solr server. Note also that the second vulnerability relates to remote code execution using the RunExecutableListener available on all affected versions of Solr.",null,[11],{"_key":12,"id":12,"name":13,"description":14,"type":15,"status":16,"abstraction":17,"likelihood_of_exploit":9,"capec":18},"CWE-611","Improper Restriction of XML External Entity Reference","The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.","weakness","Draft","Base",[19],{"id":20,"name":21,"techniques":22},"CAPEC-221","Data Serialization External Entities Blowup",[],[24,33],{"_key":25,"name":26,"source":27,"url":28,"maturity":29,"reliability_score":30,"verified":31,"type":9,"platforms":32,"requires_auth":9,"exploitdb":9,"metasploit":9},"REF_6C7A6EE8EFDDD64A","Exploit Reference (s.apache.org)","reference","https://s.apache.org/FJDl","unknown",0.2,false,[],{"_key":34,"name":35,"source":36,"url":37,"maturity":38,"reliability_score":39,"verified":40,"type":9,"platforms":41,"requires_auth":9,"exploitdb":43,"metasploit":9},"43009","Apache Solr 7.0.1 - XML External Entity Expansion / Remote Code Execution","exploit-database","https://www.exploit-db.com/exploits/43009","poc",0.8,true,[42],"xml",{"verified":40,"type":44,"platform":42,"file":45,"codes":46},"webapps","exploits/xml/webapps/43009.txt",[7],[48],"GHSA-mh7g-99w9-xpjm",[],[51,53,55,57,59,61,63,65,67,69,71,73],{"_key":52},"UBUNTU-CVE-2017-12629",{"_key":54},"USN-4259-1",{"_key":56},"RHSA-2017:3123",{"_key":58},"RHSA-2017:3451",{"_key":60},"RHSA-2017:3452",{"_key":62},"DLA-1254-1",{"_key":64},"DSA-4124-1",{"_key":66},"MGASA-2017-0403",{"_key":68},"DEBIAN-CVE-2017-12629",{"_key":70},"RHSA-2018:0002",{"_key":72},"RHSA-2018:0004",{"_key":74},"RHSA-2018:0005",[],[77],{"_key":66},"2017-10-14T21:00:00.000Z","2024-08-05T18:43:56.440Z","Modified",{"cisa_kev":31,"cisa_ransomware":31,"cisa_vendor":9,"epss_severity":82,"epss_score":83,"severity":82,"severity_score":84,"severity_version":85,"severity_source":86,"severity_vector":87,"severity_status":80},"critical",0.93891,9.8,"v3.1","nvd","CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",[89,99,105,109,115,119,123,127,132,136,140,144,148,152,156,161,166,171,175,179,183,187,191,195,199,204,208,212,216,219,223,227,231,235,239,243,248],{"url":90,"sources":91,"tags":94},"https://access.redhat.com/errata/RHSA-2017:3451",[92,86,93],"cve.org","osv_maven",[95,96,97,98],"Vendor Advisory","X Refsource REDHAT","Third Party Advisory","WEB",{"url":28,"sources":100,"tags":101},[92,86,93],[102,103,104,95,98],"Mailing List","X Refsource MLIST","Exploit",{"url":106,"sources":107,"tags":108},"https://access.redhat.com/errata/RHSA-2018:0002",[92,86,93],[95,96,97,98],{"url":110,"sources":111,"tags":112},"http://www.securityfocus.com/bid/101261",[92,86,93],[113,114,97,98],"VDB Entry","X Refsource BID",{"url":116,"sources":117,"tags":118},"https://access.redhat.com/errata/RHSA-2018:0004",[92,86,93],[95,96,97,98],{"url":120,"sources":121,"tags":122},"https://access.redhat.com/errata/RHSA-2017:3452",[92,86,93],[95,96,97,98],{"url":124,"sources":125,"tags":126},"https://lists.debian.org/debian-lts-announce/2018/01/msg00028.html",[92,86,93],[102,103,97,98],{"url":128,"sources":129,"tags":130},"https://www.exploit-db.com/exploits/43009/",[92,86],[104,131,97,113],"X Refsource EXPLOIT DB",{"url":133,"sources":134,"tags":135},"https://access.redhat.com/errata/RHSA-2018:0003",[92,86,93],[95,96,97,98],{"url":137,"sources":138,"tags":139},"https://access.redhat.com/errata/RHSA-2017:3123",[92,86,93],[95,96,97,98],{"url":141,"sources":142,"tags":143},"https://access.redhat.com/errata/RHSA-2018:0005",[92,86,93],[95,96,97,98],{"url":145,"sources":146,"tags":147},"https://access.redhat.com/errata/RHSA-2017:3244",[92,86,93],[95,96,97,98],{"url":149,"sources":150,"tags":151},"https://access.redhat.com/errata/RHSA-2017:3124",[92,86,93],[95,96,97,98],{"url":153,"sources":154,"tags":155},"http://mail-archives.us.apache.org/mod_mbox/www-announce/201710.mbox/%3CCAOOKt51UO_6Vy%3Dj8W%3Dx1pMbLW9VJfZyFWz7pAnXJC_OAdSZubA%40mail.gmail.com%3E",[92,86,93],[102,103,95,98],{"url":157,"sources":158,"tags":159},"https://www.debian.org/security/2018/dsa-4124",[92,86,93],[95,160,97,98],"X Refsource DEBIAN",{"url":162,"sources":163,"tags":164},"https://usn.ubuntu.com/4259-1/",[92,86],[95,165,97],"X Refsource UBUNTU",{"url":167,"sources":168,"tags":169},"https://twitter.com/ApacheSolr/status/918731485611401216",[92,86,93],[170,97,98],"X Refsource MISC",{"url":172,"sources":173,"tags":174},"https://twitter.com/searchtools_avi/status/918904813613543424",[92,86,93],[170,97,98],{"url":176,"sources":177,"tags":178},"http://openwall.com/lists/oss-security/2017/10/13/1",[92,86,93],[170,102,97,98],{"url":180,"sources":181,"tags":182},"https://twitter.com/joshbressers/status/919258716297420802",[92,86,93],[170,97,98],{"url":184,"sources":185,"tags":186},"https://lists.apache.org/thread.html/r95df34bb158375948da82b4dfe9a1b5d528572d586584162f8f5aeef%40%3Cusers.solr.apache.org%3E",[92,86],[102,103],{"url":188,"sources":189,"tags":190},"https://lists.apache.org/thread.html/r140128dc6bb4f4e0b6a39e962c7ca25a8cbc8e48ed766176c931fccc%40%3Cusers.solr.apache.org%3E",[92,86],[102,103],{"url":192,"sources":193,"tags":194},"https://lists.apache.org/thread.html/r3da74965aba2b5f5744b7289ad447306eeb2940c872801819faa9314%40%3Cusers.solr.apache.org%3E",[92,86],[102,103],{"url":196,"sources":197,"tags":198},"https://lists.apache.org/thread.html/r26c996b068ef6c5e89aa59acb769025cfd343a08e63fbe9e7f3f720f%40%3Coak-issues.jackrabbit.apache.org%3E",[92,86],[102,103],{"url":200,"sources":201,"tags":202},"https://nvd.nist.gov/vuln/detail/CVE-2017-12629",[93],[203],"Advisory",{"url":205,"sources":206,"tags":207},"https://github.com/apache/lucene-solr/commit/3bba91131b5257e64b9d0a2193e1e32a145b2a2",[93],[98],{"url":209,"sources":210,"tags":211},"https://github.com/apache/lucene-solr/commit/d8000beebfb13ba0b6e754f84c760e11592d8d1",[93],[98],{"url":213,"sources":214,"tags":215},"https://github.com/apache/lucene-solr/commit/f9fd6e9e26224f26f1542224ce187e04c27b268",[93],[98],{"url":37,"sources":217,"tags":218},[93],[98],{"url":220,"sources":221,"tags":222},"https://usn.ubuntu.com/4259-1",[93],[98],{"url":224,"sources":225,"tags":226},"https://lists.apache.org/thread.html/r95df34bb158375948da82b4dfe9a1b5d528572d586584162f8f5aeef@%3Cusers.solr.apache.org%3E",[93],[98],{"url":228,"sources":229,"tags":230},"https://lists.apache.org/thread.html/r3da74965aba2b5f5744b7289ad447306eeb2940c872801819faa9314@%3Cusers.solr.apache.org%3E",[93],[98],{"url":232,"sources":233,"tags":234},"https://lists.apache.org/thread.html/r26c996b068ef6c5e89aa59acb769025cfd343a08e63fbe9e7f3f720f@%3Coak-issues.jackrabbit.apache.org%3E",[93],[98],{"url":236,"sources":237,"tags":238},"https://lists.apache.org/thread.html/r140128dc6bb4f4e0b6a39e962c7ca25a8cbc8e48ed766176c931fccc@%3Cusers.solr.apache.org%3E",[93],[98],{"url":240,"sources":241,"tags":242},"https://issues.apache.org/jira/browse/SOLR-11477",[93],[98],{"url":244,"sources":245,"tags":246},"https://github.com/apache/lucene",[93],[247],"PACKAGE",{"url":249,"sources":250,"tags":251},"https://github.com/advisories/GHSA-mh7g-99w9-xpjm",[93],[203],[],{"date":254,"score":83,"percentile":255},"2026-06-04",0.99884,[257,260,263,265,267,269,271,273,275,277,279,281,283,285,287,290,292,294,296,298,300,303,305,307,309,311,313,315,318,320,322,324,326,328,330,332,334,336,338,340,342,344,346,348,350,352,354,356,358,360,362,364,366,368,370,374,376,378,380,383,385,388,391,393,395,397,399,401,403,405,408,410,412,414,417,419,421,423,425,427,429,431,433,435,437,439,441,443,445,447],{"date":258,"score":83,"percentile":259},"2025-11-04",0.99864,{"date":261,"score":83,"percentile":262},"2025-11-05",0.99865,{"date":264,"score":83,"percentile":262},"2025-11-06",{"date":266,"score":83,"percentile":259},"2025-11-07",{"date":268,"score":83,"percentile":259},"2025-11-08",{"date":270,"score":83,"percentile":259},"2025-11-09",{"date":272,"score":83,"percentile":259},"2025-11-10",{"date":274,"score":83,"percentile":259},"2025-11-11",{"date":276,"score":83,"percentile":259},"2025-11-12",{"date":278,"score":83,"percentile":259},"2025-11-13",{"date":280,"score":83,"percentile":259},"2025-11-14",{"date":282,"score":83,"percentile":259},"2025-11-15",{"date":284,"score":83,"percentile":259},"2025-11-16",{"date":286,"score":83,"percentile":262},"2025-11-17",{"date":288,"score":83,"percentile":289},"2025-11-18",0.99915,{"date":291,"score":83,"percentile":289},"2025-11-19",{"date":293,"score":83,"percentile":289},"2025-11-20",{"date":295,"score":83,"percentile":259},"2025-11-21",{"date":297,"score":83,"percentile":262},"2025-11-22",{"date":299,"score":83,"percentile":262},"2025-11-23",{"date":301,"score":83,"percentile":302},"2025-11-24",0.99863,{"date":304,"score":83,"percentile":302},"2025-11-25",{"date":306,"score":83,"percentile":302},"2025-11-26",{"date":308,"score":83,"percentile":302},"2025-11-27",{"date":310,"score":83,"percentile":302},"2025-11-28",{"date":312,"score":83,"percentile":302},"2025-11-29",{"date":314,"score":83,"percentile":302},"2025-11-30",{"date":316,"score":83,"percentile":317},"2025-12-01",0.99866,{"date":319,"score":83,"percentile":317},"2025-12-02",{"date":321,"score":83,"percentile":317},"2025-12-03",{"date":323,"score":83,"percentile":259},"2025-12-04",{"date":325,"score":83,"percentile":302},"2025-12-05",{"date":327,"score":83,"percentile":302},"2025-12-06",{"date":329,"score":83,"percentile":259},"2025-12-07",{"date":331,"score":83,"percentile":259},"2025-12-08",{"date":333,"score":83,"percentile":259},"2025-12-09",{"date":335,"score":83,"percentile":259},"2025-12-10",{"date":337,"score":83,"percentile":302},"2025-12-11",{"date":339,"score":83,"percentile":302},"2025-12-12",{"date":341,"score":83,"percentile":302},"2025-12-13",{"date":343,"score":83,"percentile":302},"2025-12-14",{"date":345,"score":83,"percentile":302},"2025-12-15",{"date":347,"score":83,"percentile":302},"2025-12-16",{"date":349,"score":83,"percentile":259},"2025-12-17",{"date":351,"score":83,"percentile":259},"2025-12-18",{"date":353,"score":83,"percentile":259},"2025-12-19",{"date":355,"score":83,"percentile":262},"2025-12-20",{"date":357,"score":83,"percentile":262},"2025-12-21",{"date":359,"score":83,"percentile":262},"2025-12-22",{"date":361,"score":83,"percentile":262},"2025-12-23",{"date":363,"score":83,"percentile":262},"2025-12-24",{"date":365,"score":83,"percentile":262},"2025-12-25",{"date":367,"score":83,"percentile":259},"2025-12-26",{"date":369,"score":83,"percentile":259},"2025-12-27",{"date":371,"score":372,"percentile":373},"2025-12-28",0.93776,0.99844,{"date":375,"score":372,"percentile":373},"2025-12-29",{"date":377,"score":372,"percentile":373},"2025-12-30",{"date":379,"score":372,"percentile":373},"2025-12-31",{"date":381,"score":372,"percentile":382},"2026-01-01",0.99848,{"date":384,"score":372,"percentile":382},"2026-01-02",{"date":386,"score":372,"percentile":387},"2026-01-03",0.99847,{"date":389,"score":372,"percentile":390},"2026-01-04",0.99843,{"date":392,"score":372,"percentile":390},"2026-01-05",{"date":394,"score":372,"percentile":390},"2026-01-06",{"date":396,"score":372,"percentile":390},"2026-01-07",{"date":398,"score":372,"percentile":373},"2026-01-08",{"date":400,"score":372,"percentile":373},"2026-01-09",{"date":402,"score":372,"percentile":373},"2026-01-10",{"date":404,"score":372,"percentile":373},"2026-01-11",{"date":406,"score":372,"percentile":407},"2026-01-12",0.99845,{"date":409,"score":372,"percentile":407},"2026-01-13",{"date":411,"score":372,"percentile":407},"2026-01-14",{"date":413,"score":372,"percentile":407},"2026-01-15",{"date":415,"score":372,"percentile":416},"2026-01-16",0.99846,{"date":418,"score":372,"percentile":416},"2026-01-17",{"date":420,"score":372,"percentile":387},"2026-01-18",{"date":422,"score":372,"percentile":416},"2026-01-19",{"date":424,"score":372,"percentile":416},"2026-01-20",{"date":426,"score":372,"percentile":416},"2026-01-21",{"date":428,"score":372,"percentile":387},"2026-01-22",{"date":430,"score":372,"percentile":387},"2026-01-23",{"date":432,"score":372,"percentile":387},"2026-01-24",{"date":434,"score":372,"percentile":387},"2026-01-25",{"date":436,"score":372,"percentile":387},"2026-01-26",{"date":438,"score":372,"percentile":387},"2026-01-27",{"date":440,"score":372,"percentile":387},"2026-01-28",{"date":442,"score":372,"percentile":387},"2026-01-29",{"date":444,"score":372,"percentile":387},"2026-01-30",{"date":446,"score":372,"percentile":387},"2026-01-31",{"date":448,"score":372,"percentile":449},"2026-02-01",0.99851,[451,459],{"source":86,"cvss_v2_0":452,"cvss_v3_0":9,"cvss_v3_1":457,"cvss_v4_0":9},{"baseScore":453,"baseSeverity":9,"vectorString":454,"impactScore":455,"exploitabilityScore":456},7.5,"AV:N/AC:L/Au:N/C:P/I:P/A:P",6.4,10,{"baseScore":84,"baseSeverity":458,"vectorString":87,"impactScore":84,"exploitabilityScore":456},"CRITICAL",{"source":93,"cvss_v2_0":9,"cvss_v3_0":9,"cvss_v3_1":460,"cvss_v4_0":9},{"baseScore":84,"baseSeverity":9,"vectorString":87,"impactScore":84,"exploitabilityScore":456},[462,479,487,498,516],{"ecosystem":9,"name":463,"vendor":9,"product":463,"cpe_part":9,"purl_type":9,"purl_namespace":9,"purl_name":9,"source":9,"versions":464},"Solr",[465,471,475],{"version":466,"is_range":40,"range_type":467,"version_start":468,"version_start_type":469,"version_end":470,"version_end_type":469,"fixed_in":9},"gte5.5.0_lte5.5.4","cpe","5.5.0","including","5.5.4",{"version":472,"is_range":40,"range_type":467,"version_start":473,"version_start_type":469,"version_end":474,"version_end_type":469,"fixed_in":9},"gte6.0.0_lte6.6.1","6.0.0","6.6.1",{"version":476,"is_range":40,"range_type":467,"version_start":477,"version_start_type":469,"version_end":478,"version_end_type":469,"fixed_in":9},"gte7.0.0_lte7.0.1","7.0.0","7.0.1",{"ecosystem":9,"name":480,"vendor":481,"product":482,"cpe_part":483,"purl_type":9,"purl_namespace":9,"purl_name":9,"source":9,"versions":484},"ubuntu linux","canonical","ubuntu_linux","o",[485],{"version":486,"is_range":31,"range_type":467,"version_start":9,"version_start_type":9,"version_end":9,"version_end_type":9,"fixed_in":9},"16.04",{"ecosystem":9,"name":488,"vendor":489,"product":490,"cpe_part":483,"purl_type":9,"purl_namespace":9,"purl_name":9,"source":9,"versions":491},"debian linux","debian","debian_linux",[492,494,496],{"version":493,"is_range":31,"range_type":467,"version_start":9,"version_start_type":9,"version_end":9,"version_end_type":9,"fixed_in":9},"7.0",{"version":495,"is_range":31,"range_type":467,"version_start":9,"version_start_type":9,"version_end":9,"version_end_type":9,"fixed_in":9},"8.0",{"version":497,"is_range":31,"range_type":467,"version_start":9,"version_start_type":9,"version_end":9,"version_end_type":9,"fixed_in":9},"9.0",{"ecosystem":499,"name":500,"vendor":501,"product":502,"cpe_part":9,"purl_type":503,"purl_namespace":501,"purl_name":502,"source":9,"versions":504},"Maven","org.apache.solr:solr-core","org.apache.solr","solr-core","maven",[505,510,513],{"version":506,"is_range":40,"range_type":507,"version_start":477,"version_start_type":469,"version_end":508,"version_end_type":509,"fixed_in":9},"gte7_0_0_lt7_1_0","ecosystem","7.1.0","excluding",{"version":511,"is_range":40,"range_type":507,"version_start":473,"version_start_type":469,"version_end":512,"version_end_type":509,"fixed_in":9},"gte6_0_0_lt6_6_2","6.6.2",{"version":514,"is_range":40,"range_type":507,"version_start":468,"version_start_type":469,"version_end":515,"version_end_type":509,"fixed_in":9},"gte5_5_0_lt5_5_5","5.5.5",{"ecosystem":9,"name":517,"vendor":518,"product":519,"cpe_part":520,"purl_type":9,"purl_namespace":9,"purl_name":9,"source":9,"versions":521},"jboss enterprise application platform","redhat","jboss_enterprise_application_platform","a",[522,523],{"version":477,"is_range":31,"range_type":467,"version_start":9,"version_start_type":9,"version_end":9,"version_end_type":9,"fixed_in":9},{"version":508,"is_range":31,"range_type":467,"version_start":9,"version_start_type":9,"version_end":9,"version_end_type":9,"fixed_in":9}]