Common Weakness Enumeration

CWE-776

Allowed

Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')

Abstraction: Base · Status: Draft

The product uses XML documents and allows their structure to be defined with a Document Type Definition (DTD), but it does not properly control the number of recursive definitions of entities.

142 vulnerabilities reference this CWE, most recent first.

GHSA-6CVG-3R48-6PRG

Vulnerability from github – Published: 2022-04-23 00:03 – Updated: 2022-04-30 00:00
VLAI
Details

IBM Cognos Analytics PowerPlay (IBM Cognos Analytics 11.1.7, 11.2.0, and 11.1.7) could be vulnerable to an XML Bomb attack by a malicious authenticated user. IBM X-Force ID: 196813.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-20464"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-776"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-04-22T17:15:00Z",
    "severity": "MODERATE"
  },
  "details": "IBM Cognos Analytics PowerPlay (IBM Cognos Analytics 11.1.7, 11.2.0, and 11.1.7) could be vulnerable to an XML Bomb attack by a malicious authenticated user. IBM X-Force ID: 196813.",
  "id": "GHSA-6cvg-3r48-6prg",
  "modified": "2022-04-30T00:00:45Z",
  "published": "2022-04-23T00:03:04Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-20464"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/196813"
    },
    {
      "type": "WEB",
      "url": "https://security.netapp.com/advisory/ntap-20220602-0003"
    },
    {
      "type": "WEB",
      "url": "https://www.ibm.com/support/pages/node/6570957"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-6WFM-7HQX-39WG

Vulnerability from github – Published: 2022-04-29 01:28 – Updated: 2024-02-02 15:30
VLAI
Details

libxml2, possibly before 2.5.0, does not properly detect recursion during entity expansion, which allows context-dependent attackers to cause a denial of service (memory and CPU consumption) via a crafted XML document containing a large number of nested entity references, aka the "billion laughs attack."

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2003-1564"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-776"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2003-12-31T05:00:00Z",
    "severity": "HIGH"
  },
  "details": "libxml2, possibly before 2.5.0, does not properly detect recursion during entity expansion, which allows context-dependent attackers to cause a denial of service (memory and CPU consumption) via a crafted XML document containing a large number of nested entity references, aka the \"billion laughs attack.\"",
  "id": "GHSA-6wfm-7hqx-39wg",
  "modified": "2024-02-02T15:30:25Z",
  "published": "2022-04-29T01:28:19Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2003-1564"
    },
    {
      "type": "WEB",
      "url": "http://mail.gnome.org/archives/xml/2008-August/msg00034.html"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/31868"
    },
    {
      "type": "WEB",
      "url": "http://www.reddit.com/r/programming/comments/65843/time_to_upgrade_libxml2"
    },
    {
      "type": "WEB",
      "url": "http://www.redhat.com/support/errata/RHSA-2008-0886.html"
    },
    {
      "type": "WEB",
      "url": "http://www.stylusstudio.com/xmldev/200302/post20020.html"
    },
    {
      "type": "WEB",
      "url": "http://xmlsoft.org/news.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-6WJ9-77WQ-JQ7P

Vulnerability from github – Published: 2022-04-23 00:40 – Updated: 2023-03-06 23:31
VLAI
Summary
Nokogiri is vulnerable to XML External Entity (XXE) attack
Details

Nokogiri before 1.5.4 is vulnerable to XXE attacks.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "RubyGems",
        "name": "nokogiri"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.5.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2012-6685"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-776"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-09-12T16:55:39Z",
    "nvd_published_at": "2020-02-19T15:15:00Z",
    "severity": "HIGH"
  },
  "details": "Nokogiri before 1.5.4 is vulnerable to XXE attacks.",
  "id": "GHSA-6wj9-77wq-jq7p",
  "modified": "2023-03-06T23:31:46Z",
  "published": "2022-04-23T00:40:45Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2012-6685"
    },
    {
      "type": "WEB",
      "url": "https://github.com/sparklemotion/nokogiri/issues/693"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1178970"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/sparklemotion/nokogiri"
    },
    {
      "type": "WEB",
      "url": "https://nokogiri.org/CHANGELOG.html#154-2012-06-12"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Nokogiri is vulnerable to XML External Entity (XXE) attack"
}

GHSA-73CQ-FHP3-8RPW

Vulnerability from github – Published: 2018-10-17 00:04 – Updated: 2021-09-02 19:18
VLAI
Summary
Moderate severity vulnerability that affects org.restlet.jse:org.restlet
Details

Restlet Framework 2.1.x before 2.1.7 and 2.x.x before 2.2 RC1, when using XMLRepresentation or XML serializers, allows attackers to cause a denial of service via an XML Entity Expansion (XEE) attack.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.restlet.jse:org.restlet"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.1.0"
            },
            {
              "fixed": "2.1.7"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2014-1868"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-776"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2020-06-16T21:21:10Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "Restlet Framework 2.1.x before 2.1.7 and 2.x.x before 2.2 RC1, when using XMLRepresentation or XML serializers, allows attackers to cause a denial of service via an XML Entity Expansion (XEE) attack.",
  "id": "GHSA-73cq-fhp3-8rpw",
  "modified": "2021-09-02T19:18:12Z",
  "published": "2018-10-17T00:04:53Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2014-1868"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/91181"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/advisories/GHSA-73cq-fhp3-8rpw"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/restlet/restlet-framework-java"
    },
    {
      "type": "WEB",
      "url": "https://github.com/restlet/restlet-framework-java/wiki/XEE-security-enhancements"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/56940"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [],
  "summary": "Moderate severity vulnerability that affects org.restlet.jse:org.restlet"
}

GHSA-748J-WM96-4WH5

Vulnerability from github – Published: 2026-06-26 00:32 – Updated: 2026-06-26 00:32
VLAI
Details

A flaw was found in Apicurio Registry. The DocumentBuilderAccessor correctly blocks external DTD and schema access but does not disable DOCTYPE declarations or enable FEATURE_SECURE_PROCESSING. An attacker with artifact-write permission can upload XML documents with internal entity-expansion payloads (billion-laughs variant) that cause CPU and heap exhaustion, partially mitigated by the JAXP default 64,000 entity-expansion limit.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-12993"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-776"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-06-26T00:16:50Z",
    "severity": "MODERATE"
  },
  "details": "A flaw was found in Apicurio Registry. The DocumentBuilderAccessor correctly blocks external DTD and schema access but does not disable DOCTYPE declarations or enable FEATURE_SECURE_PROCESSING. An attacker with artifact-write permission can upload XML documents with internal entity-expansion payloads (billion-laughs variant) that cause CPU and heap exhaustion, partially mitigated by the JAXP default 64,000 entity-expansion limit.",
  "id": "GHSA-748j-wm96-4wh5",
  "modified": "2026-06-26T00:32:07Z",
  "published": "2026-06-26T00:32:07Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-12993"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/security/cve/CVE-2026-12993"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2491692"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-74FP-R6JW-H4MP

Vulnerability from github – Published: 2023-02-08 00:35 – Updated: 2024-05-20 21:45
VLAI
Summary
Kubernetes apimachinery packages vulnerable to unbounded recursion in JSON or YAML parsing
Details

CVE-2019-11253 is a denial of service vulnerability in the kube-apiserver, allowing authorized users sending malicious YAML or JSON payloads to cause kube-apiserver to consume excessive CPU or memory, potentially crashing and becoming unavailable.

When creating a ConfigMap object which has recursive references contained in it, excessive CPU usage can occur. This appears to be an instance of a "Billion Laughs" attack which is quite well known as an XML parsing issue.

Applying this manifest to a cluster causes the client to hang for some time with considerable CPU usage.

apiVersion: v1
data:
  a: &a ["web","web","web","web","web","web","web","web","web"]
  b: &b [*a,*a,*a,*a,*a,*a,*a,*a,*a]
  c: &c [*b,*b,*b,*b,*b,*b,*b,*b,*b]
  d: &d [*c,*c,*c,*c,*c,*c,*c,*c,*c]
  e: &e [*d,*d,*d,*d,*d,*d,*d,*d,*d]
  f: &f [*e,*e,*e,*e,*e,*e,*e,*e,*e]
  g: &g [*f,*f,*f,*f,*f,*f,*f,*f,*f]
  h: &h [*g,*g,*g,*g,*g,*g,*g,*g,*g]
  i: &i [*h,*h,*h,*h,*h,*h,*h,*h,*h]
kind: ConfigMap
metadata:
  name: yaml-bomb
  namespace: default

Specific Go Packages Affected

  • k8s.io/apimachinery/pkg/runtime/serializer/json
  • k8s.io/apimachinery/pkg/util/json
Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "k8s.io/apimachinery"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.0.0-20190927203648-9ce6eca90e73"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-20",
      "CWE-776"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-02-08T00:35:27Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "CVE-2019-11253 is a denial of service vulnerability in the kube-apiserver, allowing authorized users sending malicious YAML or JSON payloads to cause kube-apiserver to consume excessive CPU or memory, potentially crashing and becoming unavailable. \n\nWhen creating a ConfigMap object which has recursive references contained in it, excessive CPU usage can occur. This appears to be an instance of a \"Billion Laughs\" attack which is quite well known as an XML parsing issue.\n\nApplying this manifest to a cluster causes the client to hang for some time with considerable CPU usage.\n\n```yaml\napiVersion: v1\ndata:\n  a: \u0026a [\"web\",\"web\",\"web\",\"web\",\"web\",\"web\",\"web\",\"web\",\"web\"]\n  b: \u0026b [*a,*a,*a,*a,*a,*a,*a,*a,*a]\n  c: \u0026c [*b,*b,*b,*b,*b,*b,*b,*b,*b]\n  d: \u0026d [*c,*c,*c,*c,*c,*c,*c,*c,*c]\n  e: \u0026e [*d,*d,*d,*d,*d,*d,*d,*d,*d]\n  f: \u0026f [*e,*e,*e,*e,*e,*e,*e,*e,*e]\n  g: \u0026g [*f,*f,*f,*f,*f,*f,*f,*f,*f]\n  h: \u0026h [*g,*g,*g,*g,*g,*g,*g,*g,*g]\n  i: \u0026i [*h,*h,*h,*h,*h,*h,*h,*h,*h]\nkind: ConfigMap\nmetadata:\n  name: yaml-bomb\n  namespace: default\n```\n### Specific Go Packages Affected\n- k8s.io/apimachinery/pkg/runtime/serializer/json\n- k8s.io/apimachinery/pkg/util/json\n",
  "id": "GHSA-74fp-r6jw-h4mp",
  "modified": "2024-05-20T21:45:20Z",
  "published": "2023-02-08T00:35:27Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-11253"
    },
    {
      "type": "WEB",
      "url": "https://github.com/kubernetes/kubernetes/issues/83253"
    },
    {
      "type": "WEB",
      "url": "https://github.com/kubernetes/kubernetes/pull/83261"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/advisories/GHSA-pmqp-h87c-mr78"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/kubernetes/kubernetes"
    },
    {
      "type": "WEB",
      "url": "https://groups.google.com/g/kubernetes-security-announce/c/jk8polzSUxs"
    },
    {
      "type": "WEB",
      "url": "https://pkg.go.dev/vuln/GO-2022-0965"
    },
    {
      "type": "WEB",
      "url": "https://stackoverflow.com/questions/58129150/security-yaml-bomb-user-can-restart-kube-api-by-sending-configmap"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Kubernetes apimachinery packages vulnerable to unbounded recursion in JSON or YAML parsing"
}

GHSA-78VV-QJ73-H9M5

Vulnerability from github – Published: 2022-05-13 01:14 – Updated: 2022-07-01 16:57
VLAI
Summary
Improper Restriction of Recursive Entity References in DTDs in Apache POI
Details

Apache POI in versions prior to release 3.15 allows remote attackers to cause a denial of service (CPU consumption) via a specially crafted OOXML file, aka an XML Entity Expansion (XEE) attack.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.apache.poi:poi"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.15"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2017-5644"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-776"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-07-01T16:57:07Z",
    "nvd_published_at": "2017-03-24T14:59:00Z",
    "severity": "MODERATE"
  },
  "details": "Apache POI in versions prior to release 3.15 allows remote attackers to cause a denial of service (CPU consumption) via a specially crafted OOXML file, aka an XML Entity Expansion (XEE) attack.",
  "id": "GHSA-78vv-qj73-h9m5",
  "modified": "2022-07-01T16:57:07Z",
  "published": "2022-05-13T01:14:24Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-5644"
    },
    {
      "type": "WEB",
      "url": "https://www.oracle.com/security-alerts/cpuoct2020.html"
    },
    {
      "type": "WEB",
      "url": "http://poi.apache.org/#20+March+2017+-+CVE-2017-5644+-+Possible+DOS+%28Denial+of+Service%29+in+Apache+POI+versions+prior+to+3.15"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/96983"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Improper Restriction of Recursive Entity References in DTDs in Apache POI"
}

GHSA-7XR3-6GGC-WC9P

Vulnerability from github – Published: 2022-08-06 05:30 – Updated: 2024-11-18 23:03
VLAI
Summary
untangle vulnerable to XML Entity Expansion
Details

Impact

An attacker may be able to cause a denial-of-service (DoS) condition on the server on which the product is running. This affects untangle versions up to and including 1.2.0

Patches

The problem has been fixed with version 1.2.1

Workarounds

None

References

https://jvn.jp/en/jp/JVN30454777/

For more information

If you have any questions or comments about this advisory: * Open an issue

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "untangle"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.2.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-33977"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-776"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-08-06T05:30:56Z",
    "nvd_published_at": "2022-07-26T06:15:00Z",
    "severity": "HIGH"
  },
  "details": "### Impact\nAn attacker may be able to cause a denial-of-service (DoS) condition on the server on which the product is running. This affects untangle versions up to and including 1.2.0\n\n### Patches\nThe problem has been fixed with version 1.2.1\n\n### Workarounds\nNone\n\n### References\nhttps://jvn.jp/en/jp/JVN30454777/\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an [issue](https://github.com/stchris/untangle/issues)\n",
  "id": "GHSA-7xr3-6ggc-wc9p",
  "modified": "2024-11-18T23:03:15Z",
  "published": "2022-08-06T05:30:56Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/stchris/untangle/security/advisories/GHSA-7xr3-6ggc-wc9p"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-33977"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/untangle/PYSEC-2022-243.yaml"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/stchris/untangle"
    },
    {
      "type": "WEB",
      "url": "https://github.com/stchris/untangle/releases/tag/1.2.1"
    },
    {
      "type": "WEB",
      "url": "https://jvn.jp/en/jp/JVN30454777"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "untangle vulnerable to XML Entity Expansion"
}

GHSA-7XVQ-VM2P-4R2F

Vulnerability from github – Published: 2025-10-01 18:30 – Updated: 2025-10-01 18:30
VLAI
Details

In Splunk Enterprise versions below 9.4.4, 9.3.6, and 9.2.8, and Splunk Cloud Platform versions below 9.3.2411.108, 9.3.2408.118 and 9.2.2406.123, a low privilege user that does not hold the "admin" or "power" Splunk roles could perform an extensible markup language (XML) external entity (XXE) injection through the dashboard tab label field. The XXE injection has the potential to cause denial of service (DoS) attacks.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-20369"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611",
      "CWE-776"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-10-01T17:15:40Z",
    "severity": "MODERATE"
  },
  "details": "In Splunk Enterprise versions below 9.4.4, 9.3.6, and 9.2.8, and Splunk Cloud Platform versions below 9.3.2411.108, 9.3.2408.118 and 9.2.2406.123, a low privilege user that does not hold the \"admin\" or \"power\" Splunk roles could perform an extensible markup language (XML) external entity (XXE) injection through the dashboard tab label field. The XXE injection has the potential to cause denial of service (DoS) attacks.",
  "id": "GHSA-7xvq-vm2p-4r2f",
  "modified": "2025-10-01T18:30:39Z",
  "published": "2025-10-01T18:30:39Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-20369"
    },
    {
      "type": "WEB",
      "url": "https://advisory.splunk.com/advisories/SVD-2025-1004"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-84P2-VF58-XHXV

Vulnerability from github – Published: 2019-04-23 16:03 – Updated: 2021-04-23 20:12
VLAI
Summary
Billion laughs attack in c3p0
Details

c3p0 version < 0.9.5.4 may be exploited by a billion laughs attack when loading XML configuration due to missing protections against recursive entity expansion when loading configuration.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 0.9.5.3"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "com.mchange:c3p0"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.9.5.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2019-5427"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-776"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2019-04-23T16:01:51Z",
    "nvd_published_at": "2019-04-22T21:29:00Z",
    "severity": "HIGH"
  },
  "details": "c3p0 version \u003c 0.9.5.4 may be exploited by a billion laughs attack when loading XML configuration due to missing protections against recursive entity expansion when loading configuration.",
  "id": "GHSA-84p2-vf58-xhxv",
  "modified": "2021-04-23T20:12:41Z",
  "published": "2019-04-23T16:03:18Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-5427"
    },
    {
      "type": "WEB",
      "url": "https://hackerone.com/reports/509315"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BFIVX6HOVNLAM7W3SUAMHYRNLCVQSAWR"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MQ47OFV57Y2DAHMGA5H3JOL4WHRWRFN4"
    },
    {
      "type": "WEB",
      "url": "https://www.oracle.com/security-alerts/cpuapr2020.html"
    },
    {
      "type": "WEB",
      "url": "https://www.oracle.com/security-alerts/cpujan2021.html"
    },
    {
      "type": "WEB",
      "url": "https://www.oracle.com/security-alerts/cpujul2020.html"
    },
    {
      "type": "WEB",
      "url": "https://www.oracle.com/security-alerts/cpuoct2020.html"
    },
    {
      "type": "WEB",
      "url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Billion laughs attack in c3p0"
}

Mitigation
Operation

If possible, prohibit the use of DTDs or use an XML parser that limits the expansion of recursive DTD entities.

Mitigation
Implementation

Before parsing XML files with associated DTDs, scan for recursive entity declarations and do not continue parsing potentially explosive content.

CAPEC-197: Exponential Data Expansion

An adversary submits data to a target application which contains nested exponential data expansion to produce excessively large output. Many data format languages allow the definition of macro-like structures that can be used to simplify the creation of complex structures. However, this capability can be abused to create excessive demands on a processor's CPU and memory. A small number of nested expansions can result in an exponential growth in demands on memory.