CVE-2019-5427

Опубликовано: 22 апр. 2019

Источник: nvd

CVSS3: 7.5

CVSS2: 5

EPSS Низкий

Описание

c3p0 version < 0.9.5.4 may be exploited by a billion laughs attack when loading XML configuration due to missing protections against recursive entity expansion when loading configuration.

Ссылки

https://hackerone.com/reports/509315
Exploit
Issue Tracking
Patch
Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BFIVX6HOVNLAM7W3SUAMHYRNLCVQSAWR/
Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MQ47OFV57Y2DAHMGA5H3JOL4WHRWRFN4/
Third Party Advisory
https://www.oracle.com/security-alerts/cpuapr2020.html
Third Party Advisory
https://www.oracle.com/security-alerts/cpujan2021.html
Third Party Advisory
https://www.oracle.com/security-alerts/cpujul2020.html
Third Party Advisory
https://www.oracle.com/security-alerts/cpuoct2020.html
Third Party Advisory
https://www.oracle.com/security-alerts/cpuoct2021.html
Third Party Advisory
https://hackerone.com/reports/509315
Exploit
Issue Tracking
Patch
Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BFIVX6HOVNLAM7W3SUAMHYRNLCVQSAWR/
Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MQ47OFV57Y2DAHMGA5H3JOL4WHRWRFN4/
Third Party Advisory
https://www.oracle.com/security-alerts/cpuapr2020.html
Third Party Advisory
https://www.oracle.com/security-alerts/cpujan2021.html
Third Party Advisory
https://www.oracle.com/security-alerts/cpujul2020.html
Third Party Advisory
https://www.oracle.com/security-alerts/cpuoct2020.html
Third Party Advisory
https://www.oracle.com/security-alerts/cpuoct2021.html
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:mchange:c3p0:*:*:*:*:*:*:*:*

Версия до 0.9.5.4 (исключая)

Конфигурация 2

Одно из

cpe:2.3:o:fedoraproject:fedora:29:*:*:*:*:*:*:*

cpe:2.3:o:fedoraproject:fedora:30:*:*:*:*:*:*:*

Конфигурация 3

Одно из

cpe:2.3:a:oracle:communications_ip_service_activator:7.3.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:communications_ip_service_activator:7.4.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:communications_session_route_manager:*:*:*:*:*:*:*:*

Версия от 8.2.0 (включая) до 8.2.2 (включая)

cpe:2.3:a:oracle:documaker:*:*:*:*:*:*:*:*

Версия от 12.6.0 (включая) до 12.6.6 (включая)

cpe:2.3:a:oracle:enterprise_manager_base_platform:13.2.1.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:enterprise_manager_ops_center:12.4.0.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:flexcube_private_banking:12.0.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:flexcube_private_banking:12.1.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:hyperion_infrastructure_technology:11.1.2.4:*:*:*:*:*:*:*

cpe:2.3:a:oracle:retail_xstore_point_of_service:15.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:retail_xstore_point_of_service:16.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:retail_xstore_point_of_service:17.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:retail_xstore_point_of_service:18.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:retail_xstore_point_of_service:19.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:webcenter_sites:12.2.1.3.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:webcenter_sites:12.2.1.4.0:*:*:*:*:*:*:*

EPSS

Процентиль: 81%

0.015

Низкий

7.5 High

CVSS3

5 Medium

CVSS2

Дефекты

CWE-776

Связанные уязвимости

CVE-2019-5427

CVSS3: 7.5

ubuntu

почти 7 лет назад

c3p0 version < 0.9.5.4 may be exploited by a billion laughs attack when loading XML configuration due to missing protections against recursive entity expansion when loading configuration.

CVE-2019-5427

CVSS3: 4.4

redhat

почти 7 лет назад

c3p0 version < 0.9.5.4 may be exploited by a billion laughs attack when loading XML configuration due to missing protections against recursive entity expansion when loading configuration.

CVE-2019-5427

CVSS3: 7.5

debian

почти 7 лет назад

c3p0 version < 0.9.5.4 may be exploited by a billion laughs attack whe ...

GHSA-84p2-vf58-xhxv

CVSS3: 7.5

github

почти 7 лет назад

Billion laughs attack in c3p0

BDU:2020-01665

CVSS3: 7.5

fstec

почти 7 лет назад

Уязвимость функции ConfigXmlUtils библиотеки работы с JDBC-драйверами c3p0, позволяющая нарушителю вызвать отказ в обслуживании

EPSS

Процентиль: 81%

0.015

Низкий

7.5 High

CVSS3

5 Medium

CVSS2

Дефекты

CWE-776