CVE-2019-5427

Опубликовано: 22 апр. 2019

Источник: debian

Описание

c3p0 version < 0.9.5.4 may be exploited by a billion laughs attack when loading XML configuration due to missing protections against recursive entity expansion when loading configuration.

Пакеты

Пакет	Статус	Версия исправления	Релиз	Тип
c3p0	fixed	0.9.1.2-10.1		package
c3p0	no-dsa		bookworm	package
c3p0	no-dsa		bullseye	package
c3p0	no-dsa		buster	package
c3p0	no-dsa		stretch	package
c3p0	no-dsa		jessie	package

Примечания

https://hackerone.com/reports/509315
Fixed by: https://github.com/swaldman/c3p0/commit/f38f27635c384806c2a9d6500d80183d9f09d78b

Связанные уязвимости

CVE-2019-5427

CVSS3: 7.5

ubuntu

почти 7 лет назад

c3p0 version < 0.9.5.4 may be exploited by a billion laughs attack when loading XML configuration due to missing protections against recursive entity expansion when loading configuration.

CVE-2019-5427

CVSS3: 4.4

redhat

почти 7 лет назад

c3p0 version < 0.9.5.4 may be exploited by a billion laughs attack when loading XML configuration due to missing protections against recursive entity expansion when loading configuration.

CVE-2019-5427

CVSS3: 7.5

nvd

почти 7 лет назад

c3p0 version < 0.9.5.4 may be exploited by a billion laughs attack when loading XML configuration due to missing protections against recursive entity expansion when loading configuration.

GHSA-84p2-vf58-xhxv

CVSS3: 7.5

github

почти 7 лет назад

Billion laughs attack in c3p0

BDU:2020-01665

CVSS3: 7.5

fstec

почти 7 лет назад

Уязвимость функции ConfigXmlUtils библиотеки работы с JDBC-драйверами c3p0, позволяющая нарушителю вызвать отказ в обслуживании