CVE-2019-5427
Description
c3p0 version < 0.9.5.4 may be exploited by a billion laughs attack when loading XML configuration due to missing protections against recursive entity expansion when loading configuration.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
c3p0 versions before 0.9.5.4 are vulnerable to a billion laughs XML entity expansion attack, leading to denial of service.
Vulnerability
Overview
CVE-2019-5427 is a denial-of-service vulnerability in c3p0, a popular JDBC connection pooling library for Java. The vulnerability exists in versions prior to 0.9.5.4 and is rooted in the library's XML configuration parsing code. The implementation lacks protections against recursive entity expansion, allowing an attacker to craft a malicious XML configuration file that triggers a billion laughs attack [1].
Exploitation
To exploit this vulnerability, an attacker must be able to supply a malicious XML configuration to c3p0. This could be achieved if an application loads configuration from an untrusted source, such as a user-uploaded file or an external feed. No authentication is required if the attacker can influence the configuration loading process. The attack vector is network-based, and exploitation results in exponential memory consumption due to recursive entity expansion [1].
Impact
Successful exploitation leads to denial of service via memory exhaustion. The affected application may become unresponsive or crash, impacting availability. The vulnerability does not allow code execution or data theft, but it can be used to disrupt services that rely on c3p0 for database connections [1].
Mitigation
The vulnerability is fixed in c3p0 version 0.9.5.4. Users are strongly advised to upgrade to this version or later. For environments where upgrading immediately is not possible, limiting access to configuration files or validating XML inputs can reduce risk. The issue was reported via HackerOne and has been addressed in official releases [1]. Fedora packages have also been updated to include the fix [2][3].
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
com.mchange:c3p0Maven | < 0.9.5.4 | 0.9.5.4 |
Affected products
46- ghsa-coords45 versionspkg:maven/com.mchange/c3p0pkg:rpm/opensuse/c3p0&distro=openSUSE%20Tumbleweedpkg:rpm/suse/c3p0&distro=SUSE%20Manager%20Server%20Module%204.1pkg:rpm/suse/c3p0&distro=SUSE%20Manager%20Server%20Module%204.2pkg:rpm/suse/dhcpd-formula&distro=SUSE%20Manager%20Server%20Module%204.1pkg:rpm/suse/grafana-formula&distro=SUSE%20Manager%20Server%20Module%204.2pkg:rpm/suse/hub-xmlrpc-api&distro=SUSE%20Manager%20Server%20Module%204.1pkg:rpm/suse/hub-xmlrpc-api&distro=SUSE%20Manager%20Server%20Module%204.2pkg:rpm/suse/inter-server-sync&distro=SUSE%20Manager%20Server%20Module%204.2pkg:rpm/suse/mgr-osad&distro=SUSE%20Manager%20Server%20Module%204.2pkg:rpm/suse/mgr-push&distro=SUSE%20Manager%20Server%20Module%204.2pkg:rpm/suse/patterns-suse-manager&distro=SUSE%20Manager%20Server%20Module%204.2pkg:rpm/suse/prometheus-exporters-formula&distro=SUSE%20Manager%20Server%20Module%204.2pkg:rpm/suse/py26-compat-msgpack-python&distro=SUSE%20Manager%20Server%20Module%204.1pkg:rpm/suse/py26-compat-msgpack-python&distro=SUSE%20Manager%20Server%20Module%204.2pkg:rpm/suse/py27-compat-salt&distro=SUSE%20Manager%20Server%20Module%204.1pkg:rpm/suse/rhnlib&distro=SUSE%20Manager%20Server%20Module%204.2pkg:rpm/suse/saltboot-formula&distro=SUSE%20Manager%20Server%20Module%204.2pkg:rpm/suse/smdba&distro=SUSE%20Manager%20Server%20Module%204.2pkg:rpm/suse/spacecmd&distro=SUSE%20Manager%20Server%20Module%204.1pkg:rpm/suse/spacecmd&distro=SUSE%20Manager%20Server%20Module%204.2pkg:rpm/suse/spacewalk-admin&distro=SUSE%20Manager%20Server%20Module%204.2pkg:rpm/suse/spacewalk-backend&distro=SUSE%20Manager%20Server%20Module%204.2pkg:rpm/suse/spacewalk-branding&distro=SUSE%20Manager%20Server%20Module%204.2pkg:rpm/suse/spacewalk-certs-tools&distro=SUSE%20Manager%20Server%20Module%204.2pkg:rpm/suse/spacewalk-client-tools&distro=SUSE%20Manager%20Server%20Module%204.2pkg:rpm/suse/spacewalk-config&distro=SUSE%20Manager%20Server%20Module%204.2pkg:rpm/suse/spacewalk-java&distro=SUSE%20Manager%20Server%20Module%204.1pkg:rpm/suse/spacewalk-java&distro=SUSE%20Manager%20Server%20Module%204.2pkg:rpm/suse/spacewalk-web&distro=SUSE%20Manager%20Server%20Module%204.1pkg:rpm/suse/spacewalk-web&distro=SUSE%20Manager%20Server%20Module%204.2pkg:rpm/suse/subscription-matcher&distro=SUSE%20Manager%20Server%20Module%204.2pkg:rpm/suse/supportutils-plugin-susemanager&distro=SUSE%20Manager%20Server%20Module%204.2pkg:rpm/suse/susemanager&distro=SUSE%20Manager%20Server%20Module%204.1pkg:rpm/suse/susemanager&distro=SUSE%20Manager%20Server%20Module%204.2pkg:rpm/suse/susemanager-doc-indexes&distro=SUSE%20Manager%20Server%20Module%204.1pkg:rpm/suse/susemanager-doc-indexes&distro=SUSE%20Manager%20Server%20Module%204.2pkg:rpm/suse/susemanager-docs_en&distro=SUSE%20Manager%20Server%20Module%204.1pkg:rpm/suse/susemanager-docs_en&distro=SUSE%20Manager%20Server%20Module%204.2pkg:rpm/suse/susemanager-schema&distro=SUSE%20Manager%20Server%20Module%204.1pkg:rpm/suse/susemanager-schema&distro=SUSE%20Manager%20Server%20Module%204.2pkg:rpm/suse/susemanager-sls&distro=SUSE%20Manager%20Server%20Module%204.1pkg:rpm/suse/susemanager-sls&distro=SUSE%20Manager%20Server%20Module%204.2pkg:rpm/suse/suseRegisterInfo&distro=SUSE%20Manager%20Server%20Module%204.2pkg:rpm/suse/virtualization-formulas&distro=SUSE%20Manager%20Server%20Module%204.2
< 0.9.5.4+ 44 more
- (no CPE)range: < 0.9.5.4
- (no CPE)range: < 0.9.5.5-2.1
- (no CPE)range: < 0.9.5.5-3.3.2
- (no CPE)range: < 0.9.5.5-150300.4.6.1
- (no CPE)range: < 0.1.1641480250.d5bd14c-3.3.2
- (no CPE)range: < 0.7.0-150300.3.6.1
- (no CPE)range: < 0.7-3.9.2
- (no CPE)range: < 0.7-150300.3.6.1
- (no CPE)range: < 0.1.0-150300.8.12.1
- (no CPE)range: < 4.2.8-150300.2.9.1
- (no CPE)range: < 4.2.5-150300.2.9.1
- (no CPE)range: < 4.2-150300.4.9.1
- (no CPE)range: < 1.2.0-150300.3.9.1
- (no CPE)range: < 0.4.6-3.6.2
- (no CPE)range: < 0.4.6-150300.4.3.1
- (no CPE)range: < 3000.3-6.21.2
- (no CPE)range: < 4.2.6-150300.4.9.1
- (no CPE)range: < 0.1.1645440615.7f1328c-150300.3.9.1
- (no CPE)range: < 1.7.10-0.150300.3.3.1
- (no CPE)range: < 4.1.17-4.36.2
- (no CPE)range: < 4.2.16-150300.4.18.1
- (no CPE)range: < 4.2.10-150300.3.9.1
- (no CPE)range: < 4.2.20-150300.4.18.1
- (no CPE)range: < 4.2.13-150300.3.9.1
- (no CPE)range: < 4.2.15-150300.3.15.1
- (no CPE)range: < 4.2.18-150300.4.18.1
- (no CPE)range: < 4.2.6-150300.3.6.1
- (no CPE)range: < 4.1.44-3.66.2
- (no CPE)range: < 4.2.34-150300.3.26.2
- (no CPE)range: < 4.1.32-3.42.2
- (no CPE)range: < 4.2.26-150300.3.18.2
- (no CPE)range: < 0.29-150300.6.6.1
- (no CPE)range: < 4.2.4-150300.3.6.1
- (no CPE)range: < 4.1.33-3.45.2
- (no CPE)range: < 4.2.28-150300.3.22.1
- (no CPE)range: < 4.1-11.52.2
- (no CPE)range: < 4.2-150300.12.22.1
- (no CPE)range: < 4.1-11.52.2
- (no CPE)range: < 4.2-150300.12.22.1
- (no CPE)range: < 4.1.25-3.42.2
- (no CPE)range: < 4.2.21-150300.3.18.1
- (no CPE)range: < 4.1.34-3.59.2
- (no CPE)range: < 4.2.21-150300.3.20.1
- (no CPE)range: < 4.2.6-150300.4.9.1
- (no CPE)range: < 0.6.2-150300.8.6.1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
12- github.com/advisories/GHSA-84p2-vf58-xhxvghsaADVISORY
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BFIVX6HOVNLAM7W3SUAMHYRNLCVQSAWR/mitrevendor-advisoryx_refsource_FEDORA
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MQ47OFV57Y2DAHMGA5H3JOL4WHRWRFN4/mitrevendor-advisoryx_refsource_FEDORA
- nvd.nist.gov/vuln/detail/CVE-2019-5427ghsaADVISORY
- hackerone.com/reports/509315ghsax_refsource_MISCWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BFIVX6HOVNLAM7W3SUAMHYRNLCVQSAWRghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MQ47OFV57Y2DAHMGA5H3JOL4WHRWRFN4ghsaWEB
- www.oracle.com/security-alerts/cpuapr2020.htmlghsax_refsource_MISCWEB
- www.oracle.com/security-alerts/cpujan2021.htmlghsax_refsource_MISCWEB
- www.oracle.com/security-alerts/cpujul2020.htmlghsax_refsource_MISCWEB
- www.oracle.com/security-alerts/cpuoct2020.htmlghsax_refsource_MISCWEB
- www.oracle.com/security-alerts/cpuoct2021.htmlghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.