ID CVE-2019-5427
Summary c3p0 version < 0.9.5.4 may be exploited by a billion laughs attack when loading XML configuration due to missing protections against recursive entity expansion when loading configuration.
References
Vulnerable Configurations
  • cpe:2.3:a:mchange:c3p0:0.8.4:*:*:*:*:*:*:*
    cpe:2.3:a:mchange:c3p0:0.8.4:*:*:*:*:*:*:*
  • cpe:2.3:a:mchange:c3p0:0.8.4.1:*:*:*:*:*:*:*
    cpe:2.3:a:mchange:c3p0:0.8.4.1:*:*:*:*:*:*:*
  • cpe:2.3:a:mchange:c3p0:0.8.4.2:*:*:*:*:*:*:*
    cpe:2.3:a:mchange:c3p0:0.8.4.2:*:*:*:*:*:*:*
  • cpe:2.3:a:mchange:c3p0:0.8.4.5:*:*:*:*:*:*:*
    cpe:2.3:a:mchange:c3p0:0.8.4.5:*:*:*:*:*:*:*
  • cpe:2.3:a:mchange:c3p0:0.8.5:*:*:*:*:*:*:*
    cpe:2.3:a:mchange:c3p0:0.8.5:*:*:*:*:*:*:*
  • cpe:2.3:a:mchange:c3p0:0.8.5.1:*:*:*:*:*:*:*
    cpe:2.3:a:mchange:c3p0:0.8.5.1:*:*:*:*:*:*:*
  • cpe:2.3:a:mchange:c3p0:0.8.5.2:*:*:*:*:*:*:*
    cpe:2.3:a:mchange:c3p0:0.8.5.2:*:*:*:*:*:*:*
  • cpe:2.3:a:mchange:c3p0:0.9.0:*:*:*:*:*:*:*
    cpe:2.3:a:mchange:c3p0:0.9.0:*:*:*:*:*:*:*
  • cpe:2.3:a:mchange:c3p0:0.9.0.2:*:*:*:*:*:*:*
    cpe:2.3:a:mchange:c3p0:0.9.0.2:*:*:*:*:*:*:*
  • cpe:2.3:a:mchange:c3p0:0.9.0.3:*:*:*:*:*:*:*
    cpe:2.3:a:mchange:c3p0:0.9.0.3:*:*:*:*:*:*:*
  • cpe:2.3:a:mchange:c3p0:0.9.0.4:*:*:*:*:*:*:*
    cpe:2.3:a:mchange:c3p0:0.9.0.4:*:*:*:*:*:*:*
  • cpe:2.3:a:mchange:c3p0:0.9.1:*:*:*:*:*:*:*
    cpe:2.3:a:mchange:c3p0:0.9.1:*:*:*:*:*:*:*
  • cpe:2.3:a:mchange:c3p0:0.9.1.1:*:*:*:*:*:*:*
    cpe:2.3:a:mchange:c3p0:0.9.1.1:*:*:*:*:*:*:*
  • cpe:2.3:a:mchange:c3p0:0.9.1.2:*:*:*:*:*:*:*
    cpe:2.3:a:mchange:c3p0:0.9.1.2:*:*:*:*:*:*:*
  • cpe:2.3:a:mchange:c3p0:0.9.2:*:*:*:*:*:*:*
    cpe:2.3:a:mchange:c3p0:0.9.2:*:*:*:*:*:*:*
  • cpe:2.3:a:mchange:c3p0:0.9.2.1:*:*:*:*:*:*:*
    cpe:2.3:a:mchange:c3p0:0.9.2.1:*:*:*:*:*:*:*
  • cpe:2.3:a:mchange:c3p0:0.9.5:*:*:*:*:*:*:*
    cpe:2.3:a:mchange:c3p0:0.9.5:*:*:*:*:*:*:*
  • cpe:2.3:a:mchange:c3p0:0.9.5.1:*:*:*:*:*:*:*
    cpe:2.3:a:mchange:c3p0:0.9.5.1:*:*:*:*:*:*:*
  • cpe:2.3:o:fedoraproject:fedora:29:*:*:*:*:*:*:*
    cpe:2.3:o:fedoraproject:fedora:29:*:*:*:*:*:*:*
  • cpe:2.3:o:fedoraproject:fedora:30:*:*:*:*:*:*:*
    cpe:2.3:o:fedoraproject:fedora:30:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_ip_service_activator:7.3.0:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:communications_ip_service_activator:7.3.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_ip_service_activator:7.4.0:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:communications_ip_service_activator:7.4.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_session_route_manager:8.2.0:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:communications_session_route_manager:8.2.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_session_route_manager:8.2.0.0:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:communications_session_route_manager:8.2.0.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_session_route_manager:8.2.1:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:communications_session_route_manager:8.2.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_session_route_manager:8.2.2:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:communications_session_route_manager:8.2.2:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:documaker:12.6.0:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:documaker:12.6.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:enterprise_manager_base_platform:13.2.1.0:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:enterprise_manager_base_platform:13.2.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:enterprise_manager_ops_center:12.4.0.0:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:enterprise_manager_ops_center:12.4.0.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:flexcube_private_banking:12.0.0:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:flexcube_private_banking:12.0.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:flexcube_private_banking:12.1.0:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:flexcube_private_banking:12.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:hyperion_infrastructure_technology:11.1.2.4:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:hyperion_infrastructure_technology:11.1.2.4:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:retail_xstore_point_of_service:15.0:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:retail_xstore_point_of_service:15.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:retail_xstore_point_of_service:16.0:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:retail_xstore_point_of_service:16.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:retail_xstore_point_of_service:17.0:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:retail_xstore_point_of_service:17.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:retail_xstore_point_of_service:18.0:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:retail_xstore_point_of_service:18.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:retail_xstore_point_of_service:19.0:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:retail_xstore_point_of_service:19.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:webcenter_sites:12.2.1.3.0:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:webcenter_sites:12.2.1.3.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:webcenter_sites:12.2.1.4.0:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:webcenter_sites:12.2.1.4.0:*:*:*:*:*:*:*
CVSS
Base: 5.0 (as of 22-04-2022 - 19:28)
Impact:
Exploitability:
CWE CWE-776
CAPEC
Access
VectorComplexityAuthentication
NETWORK LOW NONE
Impact
ConfidentialityIntegrityAvailability
NONE NONE PARTIAL
cvss-vector via4 AV:N/AC:L/Au:N/C:N/I:N/A:P
refmap via4
fedora
  • FEDORA-2019-063672154a
  • FEDORA-2019-cb14e234fc
misc
Last major update 22-04-2022 - 19:28
Published 22-04-2019 - 21:29
Last modified 22-04-2022 - 19:28
Back to Top