CVE-2019-5427
published 2019-04-22CVE-2019-5427: c3p0 version < 0.9.5.4 may be exploited by a billion laughs attack when loading XML configuration due to missing protections against recursive entity expansion…
high7.5CVSS 3.1
AVNACLPRNUINSUCNINAH
c3p0 version < 0.9.5.4 may be exploited by a billion laughs attack when loading XML configuration due to missing protections against recursive entity expansion when loading configuration.
Affected
23 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | c3p0 | < c3p0 0.9.1.2-10.1 (forky) | c3p0 0.9.1.2-10.1 (forky) |
| fedoraproject | fedora | — | — |
| fedoraproject | fedora | — | — |
| mchange | c3p0 | < 0.9.5.4 | 0.9.5.4 |
| mchange | c3p0 | — | — |
| mchange | c3p0 | >= 0 < 0.9.1.2-10.1 | 0.9.1.2-10.1 |
| mchange | c3p0 | >= 0 < 0.9.1.2-10.1 | 0.9.1.2-10.1 |
| oracle | communications_ip_service_activator | — | — |
| oracle | communications_ip_service_activator | — | — |
| oracle | communications_session_route_manager | 8.2.0 – 8.2.2 | — |
| oracle | documaker | 12.6.0 – 12.6.6 | — |
| oracle | enterprise_manager_base_platform | — | — |
| oracle | enterprise_manager_ops_center | — | — |
| oracle | flexcube_private_banking | — | — |
| oracle | flexcube_private_banking | — | — |
| oracle | hyperion_infrastructure_technology | — | — |
| oracle | retail_xstore_point_of_service | — | — |
| oracle | retail_xstore_point_of_service | — | — |
| oracle | retail_xstore_point_of_service | — | — |
| oracle | retail_xstore_point_of_service | — | — |
| oracle | retail_xstore_point_of_service | — | — |
| oracle | webcenter_sites | — | — |
| oracle | webcenter_sites | — | — |
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
osv7.5HIGH