Vulnerability Details CVE-2019-5427
c3p0 version < 0.9.5.4 may be exploited by a billion laughs attack when loading XML configuration due to missing protections against recursive entity expansion when loading configuration.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.026
EPSS Ranking 84.8%
CVSS Severity
CVSS v3 Score 7.5
CVSS v2 Score 5.0
References
- https://hackerone.com/reports/509315
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BFIVX6HOVNLAM7W3SUAMHYRNLCVQSAWR/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MQ47OFV57Y2DAHMGA5H3JOL4WHRWRFN4/
- https://www.oracle.com/security-alerts/cpuapr2020.html
- https://www.oracle.com/security-alerts/cpujan2021.html
- https://www.oracle.com/security-alerts/cpujul2020.html
- https://www.oracle.com/security-alerts/cpuoct2020.html
- https://www.oracle.com/security-alerts/cpuoct2021.html
- https://hackerone.com/reports/509315
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BFIVX6HOVNLAM7W3SUAMHYRNLCVQSAWR/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MQ47OFV57Y2DAHMGA5H3JOL4WHRWRFN4/
- https://www.oracle.com/security-alerts/cpuapr2020.html
- https://www.oracle.com/security-alerts/cpujan2021.html
- https://www.oracle.com/security-alerts/cpujul2020.html
- https://www.oracle.com/security-alerts/cpuoct2020.html
- https://www.oracle.com/security-alerts/cpuoct2021.html
Products affected by CVE-2019-5427
-
cpe:2.3:a:mchange:c3p0:0.8.4
-
cpe:2.3:a:mchange:c3p0:0.8.4.1
-
cpe:2.3:a:mchange:c3p0:0.8.4.2
-
cpe:2.3:a:mchange:c3p0:0.8.4.5
-
cpe:2.3:a:mchange:c3p0:0.8.5
-
cpe:2.3:a:mchange:c3p0:0.8.5.1
-
cpe:2.3:a:mchange:c3p0:0.8.5.2
-
cpe:2.3:a:mchange:c3p0:0.9.0
-
cpe:2.3:a:mchange:c3p0:0.9.0.2
-
cpe:2.3:a:mchange:c3p0:0.9.0.3
-
cpe:2.3:a:mchange:c3p0:0.9.0.4
-
cpe:2.3:a:mchange:c3p0:0.9.1
-
cpe:2.3:a:mchange:c3p0:0.9.1.1
-
cpe:2.3:a:mchange:c3p0:0.9.1.2
-
cpe:2.3:a:mchange:c3p0:0.9.2
-
cpe:2.3:a:mchange:c3p0:0.9.2.1
-
cpe:2.3:a:mchange:c3p0:0.9.5
-
cpe:2.3:a:mchange:c3p0:0.9.5.1
-
cpe:2.3:a:oracle:communications_ip_service_activator:7.3.0
-
cpe:2.3:a:oracle:communications_ip_service_activator:7.4.0
-
cpe:2.3:a:oracle:communications_session_route_manager:8.2.0
-
cpe:2.3:a:oracle:communications_session_route_manager:8.2.0.0
-
cpe:2.3:a:oracle:communications_session_route_manager:8.2.1
-
cpe:2.3:a:oracle:communications_session_route_manager:8.2.2
-
cpe:2.3:a:oracle:documaker:12.6.0
-
cpe:2.3:a:oracle:documaker:12.6.3
-
cpe:2.3:a:oracle:documaker:12.6.4
-
cpe:2.3:a:oracle:enterprise_manager_base_platform:13.2.1.0
-
cpe:2.3:a:oracle:enterprise_manager_ops_center:12.4.0.0
-
cpe:2.3:a:oracle:flexcube_private_banking:12.0.0
-
cpe:2.3:a:oracle:flexcube_private_banking:12.1.0
-
cpe:2.3:a:oracle:hyperion_infrastructure_technology:11.1.2.4
-
cpe:2.3:a:oracle:retail_xstore_point_of_service:15.0
-
cpe:2.3:a:oracle:retail_xstore_point_of_service:16.0
-
cpe:2.3:a:oracle:retail_xstore_point_of_service:17.0
-
cpe:2.3:a:oracle:retail_xstore_point_of_service:18.0
-
cpe:2.3:a:oracle:retail_xstore_point_of_service:19.0
-
cpe:2.3:a:oracle:webcenter_sites:12.2.1.3.0
-
cpe:2.3:a:oracle:webcenter_sites:12.2.1.4.0
-
cpe:2.3:o:fedoraproject:fedora:29
-
cpe:2.3:o:fedoraproject:fedora:30