CVE-2019-5427

c3p0 version < 0.9.5.4 may be exploited by a billion laughs attack when loading XML configuration due to missing protections against recursive entity expansion when loading configuration.

Published: Apr 22, 2019
Updated: Nov 8, 2023
CVE: CVE-2019-5427
GHSA: GHSA-84p2-vf58-xhxv
Severity: High
Exploit:

CVSS v3:

Severity: High
Score: 7.5
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVSS v2:

Severity: Medium
Score: 5
AV:N/AC:L/Au:N/C:N/I:N/A:P

CWEs:

CWE-776

OWASP TOP 10:

A4 - XML External Entities (XXE)

Affected Software
References

Software	From	Fixed in
mchange / c3p0	-	0.9.5.2
fedoraproject / fedora	29	29.x
fedoraproject / fedora	30	30.x
oracle / retail_xstore_point_of_service	15.0	15.0.x
oracle / flexcube_private_banking	12.1.0	12.1.0.x
oracle / flexcube_private_banking	12.0.0	12.0.0.x
oracle / webcenter_sites	12.2.1.3.0	12.2.1.3.0.x
oracle / retail_xstore_point_of_service	16.0	16.0.x
oracle / webcenter_sites	12.2.1.4.0	12.2.1.4.0.x
oracle / retail_xstore_point_of_service	17.0	17.0.x
oracle / retail_xstore_point_of_service	18.0	18.0.x
oracle / retail_xstore_point_of_service	19.0	19.0.x
oracle / communications_ip_service_activator	7.4.0	7.4.0.x
oracle / communications_ip_service_activator	7.3.0	7.3.0.x
oracle / hyperion_infrastructure_technology	11.1.2.4	11.1.2.4.x
oracle / enterprise_manager_ops_center	12.4.0.0	12.4.0.0.x
oracle / communications_session_route_manager	8.2.0	8.2.2.x
oracle / enterprise_manager_base_platform	13.2.1.0	13.2.1.0.x
oracle / documaker	12.6.0	12.6.6.x
com.mchange / c3p0	-	0.9.5.4

Vulnerability Database

289,599

CVE-2019-5427