CVE-2019-5427 - c3p0 version < 0.9.5.4 may be exploited by a billion laughs attack when loading XML configuration du

CVE-2019-5427

Summary

c3p0 version < 0.9.5.4 may be exploited by a billion laughs attack when loading XML configuration due to missing protections against recursive entity expansion when loading configuration.

References

Vulnerable Configurations

cpe:2.3:a:mchange:c3p0:0.8.4:*:*:*:*:*:*:*
cpe:2.3:a:mchange:c3p0:0.8.4:*:*:*:*:*:*:*
cpe:2.3:a:mchange:c3p0:0.8.4.1:*:*:*:*:*:*:*
cpe:2.3:a:mchange:c3p0:0.8.4.1:*:*:*:*:*:*:*
cpe:2.3:a:mchange:c3p0:0.8.4.2:*:*:*:*:*:*:*
cpe:2.3:a:mchange:c3p0:0.8.4.2:*:*:*:*:*:*:*
cpe:2.3:a:mchange:c3p0:0.8.4.5:*:*:*:*:*:*:*
cpe:2.3:a:mchange:c3p0:0.8.4.5:*:*:*:*:*:*:*
cpe:2.3:a:mchange:c3p0:0.8.5:*:*:*:*:*:*:*
cpe:2.3:a:mchange:c3p0:0.8.5:*:*:*:*:*:*:*
cpe:2.3:a:mchange:c3p0:0.8.5.1:*:*:*:*:*:*:*
cpe:2.3:a:mchange:c3p0:0.8.5.1:*:*:*:*:*:*:*
cpe:2.3:a:mchange:c3p0:0.8.5.2:*:*:*:*:*:*:*
cpe:2.3:a:mchange:c3p0:0.8.5.2:*:*:*:*:*:*:*
cpe:2.3:a:mchange:c3p0:0.9.0:*:*:*:*:*:*:*
cpe:2.3:a:mchange:c3p0:0.9.0:*:*:*:*:*:*:*
cpe:2.3:a:mchange:c3p0:0.9.0.2:*:*:*:*:*:*:*
cpe:2.3:a:mchange:c3p0:0.9.0.2:*:*:*:*:*:*:*
cpe:2.3:a:mchange:c3p0:0.9.0.3:*:*:*:*:*:*:*
cpe:2.3:a:mchange:c3p0:0.9.0.3:*:*:*:*:*:*:*
cpe:2.3:a:mchange:c3p0:0.9.0.4:*:*:*:*:*:*:*
cpe:2.3:a:mchange:c3p0:0.9.0.4:*:*:*:*:*:*:*
cpe:2.3:a:mchange:c3p0:0.9.1:*:*:*:*:*:*:*
cpe:2.3:a:mchange:c3p0:0.9.1:*:*:*:*:*:*:*
cpe:2.3:a:mchange:c3p0:0.9.1.1:*:*:*:*:*:*:*
cpe:2.3:a:mchange:c3p0:0.9.1.1:*:*:*:*:*:*:*
cpe:2.3:a:mchange:c3p0:0.9.1.2:*:*:*:*:*:*:*
cpe:2.3:a:mchange:c3p0:0.9.1.2:*:*:*:*:*:*:*
cpe:2.3:a:mchange:c3p0:0.9.2:*:*:*:*:*:*:*
cpe:2.3:a:mchange:c3p0:0.9.2:*:*:*:*:*:*:*
cpe:2.3:a:mchange:c3p0:0.9.2.1:*:*:*:*:*:*:*
cpe:2.3:a:mchange:c3p0:0.9.2.1:*:*:*:*:*:*:*
cpe:2.3:a:mchange:c3p0:0.9.5:*:*:*:*:*:*:*
cpe:2.3:a:mchange:c3p0:0.9.5:*:*:*:*:*:*:*
cpe:2.3:a:mchange:c3p0:0.9.5.1:*:*:*:*:*:*:*
cpe:2.3:a:mchange:c3p0:0.9.5.1:*:*:*:*:*:*:*
cpe:2.3:o:fedoraproject:fedora:29:*:*:*:*:*:*:*
cpe:2.3:o:fedoraproject:fedora:29:*:*:*:*:*:*:*
cpe:2.3:o:fedoraproject:fedora:30:*:*:*:*:*:*:*
cpe:2.3:o:fedoraproject:fedora:30:*:*:*:*:*:*:*
cpe:2.3:a:oracle:communications_ip_service_activator:7.3.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:communications_ip_service_activator:7.3.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:communications_ip_service_activator:7.4.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:communications_ip_service_activator:7.4.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:communications_session_route_manager:8.2.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:communications_session_route_manager:8.2.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:communications_session_route_manager:8.2.0.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:communications_session_route_manager:8.2.0.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:communications_session_route_manager:8.2.1:*:*:*:*:*:*:*
cpe:2.3:a:oracle:communications_session_route_manager:8.2.1:*:*:*:*:*:*:*
cpe:2.3:a:oracle:communications_session_route_manager:8.2.2:*:*:*:*:*:*:*
cpe:2.3:a:oracle:communications_session_route_manager:8.2.2:*:*:*:*:*:*:*
cpe:2.3:a:oracle:documaker:12.6.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:documaker:12.6.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:enterprise_manager_base_platform:13.2.1.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:enterprise_manager_base_platform:13.2.1.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:enterprise_manager_ops_center:12.4.0.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:enterprise_manager_ops_center:12.4.0.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:flexcube_private_banking:12.0.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:flexcube_private_banking:12.0.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:flexcube_private_banking:12.1.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:flexcube_private_banking:12.1.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:hyperion_infrastructure_technology:11.1.2.4:*:*:*:*:*:*:*
cpe:2.3:a:oracle:hyperion_infrastructure_technology:11.1.2.4:*:*:*:*:*:*:*
cpe:2.3:a:oracle:retail_xstore_point_of_service:15.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:retail_xstore_point_of_service:15.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:retail_xstore_point_of_service:16.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:retail_xstore_point_of_service:16.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:retail_xstore_point_of_service:17.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:retail_xstore_point_of_service:17.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:retail_xstore_point_of_service:18.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:retail_xstore_point_of_service:18.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:retail_xstore_point_of_service:19.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:retail_xstore_point_of_service:19.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:webcenter_sites:12.2.1.3.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:webcenter_sites:12.2.1.3.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:webcenter_sites:12.2.1.4.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:webcenter_sites:12.2.1.4.0:*:*:*:*:*:*:*

CVSS

Base:	5.0 (as of 22-04-2022 - 19:28)
Impact:
Exploitability:

CWE

CWE-776

CAPEC

Access

Vector	Complexity	Authentication
NETWORK	LOW	NONE

Impact

Confidentiality	Integrity	Availability
NONE	NONE	PARTIAL

cvss-vector via4

AV:N/AC:L/Au:N/C:N/I:N/A:P

refmap via4

fedora	FEDORA-2019-063672154a FEDORA-2019-cb14e234fc
misc	https://hackerone.com/reports/509315 https://www.oracle.com/security-alerts/cpuapr2020.html https://www.oracle.com/security-alerts/cpujan2021.html https://www.oracle.com/security-alerts/cpujul2020.html https://www.oracle.com/security-alerts/cpuoct2020.html

Last major update

22-04-2022 - 19:28

Published

22-04-2019 - 21:29

Last modified

22-04-2022 - 19:28