CVE-2019-5427
HIGH EPSS 91.0%
Published Apr 22, 20197y ago · Modified Jun 17, 20262w ago
7.5 CVSS 3.1
Published Apr 22, 2019 7y ago
Last Modified Jun 17, 2026 2w ago
Description
c3p0 version < 0.9.5.4 may be exploited by a billion laughs attack when loading XML configuration due to missing protections against recursive entity expansion when loading configuration.
CVSS Details
Base Score
Exploitability
Impact
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction None
Scope Unchanged
Confidentiality None
Integrity None
Availability High
Threat Intelligence
EPSS Exploit Probability
91.0% percentile
Exploit & Patch Status
Public Exploit Known
Patch Available
Weaknesses 1
CWE-776
Affected Products 19
| Vendor | Product | Version | Range |
|---|---|---|---|
| mchange | c3p0 | * | <0.9.5.4 |
| fedoraproject | fedora | 29 | any |
| fedoraproject | fedora | 30 | any |
| oracle | communications_ip_service_activator | 7.3.0 | any |
| oracle | communications_ip_service_activator | 7.4.0 | any |
| oracle | communications_session_route_manager | * | ≥8.2.0 – ≤8.2.2 |
| oracle | documaker | * | ≥12.6.0 – ≤12.6.6 |
| oracle | enterprise_manager_base_platform | 13.2.1.0 | any |
| oracle | enterprise_manager_ops_center | 12.4.0.0 | any |
| oracle | flexcube_private_banking | 12.0.0 | any |
| oracle | flexcube_private_banking | 12.1.0 | any |
| oracle | hyperion_infrastructure_technology | 11.1.2.4 | any |
| oracle | retail_xstore_point_of_service | 15.0 | any |
| oracle | retail_xstore_point_of_service | 16.0 | any |
| oracle | retail_xstore_point_of_service | 17.0 | any |
| oracle | retail_xstore_point_of_service | 18.0 | any |
| oracle | retail_xstore_point_of_service | 19.0 | any |
| oracle | webcenter_sites | 12.2.1.3.0 | any |
| oracle | webcenter_sites | 12.2.1.4.0 | any |
References 8
- hackerone.com https://hackerone.com/reports/509315
- lists.fedoraproject.org https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BFIVX6HOVNLAM7W3SUAMHYRNLCVQSAWR/
- lists.fedoraproject.org https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MQ47OFV57Y2DAHMGA5H3JOL4WHRWRFN4/
- oracle.com https://www.oracle.com/security-alerts/cpuapr2020.html
- oracle.com https://www.oracle.com/security-alerts/cpujan2021.html
- oracle.com https://www.oracle.com/security-alerts/cpujul2020.html
- oracle.com https://www.oracle.com/security-alerts/cpuoct2020.html
- oracle.com https://www.oracle.com/security-alerts/cpuoct2021.html
Remediation
- hackerone.com https://hackerone.com/reports/509315