CVE-2019-5427

HIGH EPSS 91.0%
Published Apr 22, 20197y ago · Modified Jun 17, 20262w ago
7.5 CVSS 3.1
High
Find Similar
Published Apr 22, 2019 7y ago
Last Modified Jun 17, 2026 2w ago

Description

c3p0 version < 0.9.5.4 may be exploited by a billion laughs attack when loading XML configuration due to missing protections against recursive entity expansion when loading configuration.

CVSS Details

Base Score
7.5
Exploitability
3.9
Impact
3.6
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction None
Scope Unchanged
Confidentiality None
Integrity None
Availability High

Threat Intelligence

EPSS Exploit Probability
91.0% percentile
Exploit & Patch Status
Public Exploit Known
Patch Available

Weaknesses 1

CWE-776

Affected Products 19

VendorProductVersionRange
mchangec3p0* <0.9.5.4
fedoraprojectfedora29any
fedoraprojectfedora30any
oraclecommunications_ip_service_activator7.3.0any
oraclecommunications_ip_service_activator7.4.0any
oraclecommunications_session_route_manager*≥8.2.0  –  ≤8.2.2
oracledocumaker*≥12.6.0  –  ≤12.6.6
oracleenterprise_manager_base_platform13.2.1.0any
oracleenterprise_manager_ops_center12.4.0.0any
oracleflexcube_private_banking12.0.0any
oracleflexcube_private_banking12.1.0any
oraclehyperion_infrastructure_technology11.1.2.4any
oracleretail_xstore_point_of_service15.0any
oracleretail_xstore_point_of_service16.0any
oracleretail_xstore_point_of_service17.0any
oracleretail_xstore_point_of_service18.0any
oracleretail_xstore_point_of_service19.0any
oraclewebcenter_sites12.2.1.3.0any
oraclewebcenter_sites12.2.1.4.0any

References 8

  • hackerone.com https://hackerone.com/reports/509315
    ExploitIssue TrackingPatchThird Party Advisory
  • lists.fedoraproject.org https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BFIVX6HOVNLAM7W3SUAMHYRNLCVQSAWR/
    Third Party Advisory
  • lists.fedoraproject.org https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MQ47OFV57Y2DAHMGA5H3JOL4WHRWRFN4/
    Third Party Advisory
  • oracle.com https://www.oracle.com/security-alerts/cpuapr2020.html
    Third Party Advisory
  • oracle.com https://www.oracle.com/security-alerts/cpujan2021.html
    Third Party Advisory
  • oracle.com https://www.oracle.com/security-alerts/cpujul2020.html
    Third Party Advisory
  • oracle.com https://www.oracle.com/security-alerts/cpuoct2020.html
    Third Party Advisory
  • oracle.com https://www.oracle.com/security-alerts/cpuoct2021.html
    Third Party Advisory

Remediation

  • hackerone.com https://hackerone.com/reports/509315
    ExploitIssue TrackingPatchThird Party Advisory