Home

CVE-2019-5427

Description

c3p0 version < 0.9.5.4 may be exploited by a billion laughs attack when loading XML configuration due to missing protections against recursive entity expansion when loading configuration.

Risk Information

Base Score
7.5
MODERATE
Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score
Exploitation Probability
4.06

Associated Vulnerability

VulnerabilityOS Platform
Vulnerabilities CVE-2019-5427 are fixed in mchange.com-c3p0 0.9.5.4Windows
JDBC Connection pooling library (USN-5293-1) libc3p0-java_0.9.1.2-10ubuntu0.20.04.1_all.debLinux
JDBC Connection pooling library (USN-5293-1) libc3p0-java_0.9.1.2-10ubuntu0.21.10.1_all.debLinux
JDBC Connection pooling library (USN-5293-1) libc3p0-java_0.9.1.2-9+deb8u1ubuntu0.18.04.1_all.debLinux
Vulnerabilities CVE-2019-5427 are fixed in mchange.com-c3p0 for Linux 0.9.5.4Linux
Improper Restriction of Recursive Entity References in DTDs (XML Entity Expansion) Vulnerability (CVE-2019-5427)NCM

Patch Details

No records found

References

https://nvd.nist.gov/vuln/detail/CVE-2023-1234
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1234