High severityNVD Advisory· Published Apr 22, 2019· Updated Aug 4, 2024
CVE-2019-5427
CVE-2019-5427
Description
c3p0 version < 0.9.5.4 may be exploited by a billion laughs attack when loading XML configuration due to missing protections against recursive entity expansion when loading configuration.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
com.mchange:c3p0Maven | < 0.9.5.4 | 0.9.5.4 |
Affected products
46- ghsa-coords45 versionspkg:maven/com.mchange/c3p0pkg:rpm/opensuse/c3p0&distro=openSUSE%20Tumbleweedpkg:rpm/suse/c3p0&distro=SUSE%20Manager%20Server%20Module%204.1pkg:rpm/suse/c3p0&distro=SUSE%20Manager%20Server%20Module%204.2pkg:rpm/suse/dhcpd-formula&distro=SUSE%20Manager%20Server%20Module%204.1pkg:rpm/suse/grafana-formula&distro=SUSE%20Manager%20Server%20Module%204.2pkg:rpm/suse/hub-xmlrpc-api&distro=SUSE%20Manager%20Server%20Module%204.1pkg:rpm/suse/hub-xmlrpc-api&distro=SUSE%20Manager%20Server%20Module%204.2pkg:rpm/suse/inter-server-sync&distro=SUSE%20Manager%20Server%20Module%204.2pkg:rpm/suse/mgr-osad&distro=SUSE%20Manager%20Server%20Module%204.2pkg:rpm/suse/mgr-push&distro=SUSE%20Manager%20Server%20Module%204.2pkg:rpm/suse/patterns-suse-manager&distro=SUSE%20Manager%20Server%20Module%204.2pkg:rpm/suse/prometheus-exporters-formula&distro=SUSE%20Manager%20Server%20Module%204.2pkg:rpm/suse/py26-compat-msgpack-python&distro=SUSE%20Manager%20Server%20Module%204.1pkg:rpm/suse/py26-compat-msgpack-python&distro=SUSE%20Manager%20Server%20Module%204.2pkg:rpm/suse/py27-compat-salt&distro=SUSE%20Manager%20Server%20Module%204.1pkg:rpm/suse/rhnlib&distro=SUSE%20Manager%20Server%20Module%204.2pkg:rpm/suse/saltboot-formula&distro=SUSE%20Manager%20Server%20Module%204.2pkg:rpm/suse/smdba&distro=SUSE%20Manager%20Server%20Module%204.2pkg:rpm/suse/spacecmd&distro=SUSE%20Manager%20Server%20Module%204.1pkg:rpm/suse/spacecmd&distro=SUSE%20Manager%20Server%20Module%204.2pkg:rpm/suse/spacewalk-admin&distro=SUSE%20Manager%20Server%20Module%204.2pkg:rpm/suse/spacewalk-backend&distro=SUSE%20Manager%20Server%20Module%204.2pkg:rpm/suse/spacewalk-branding&distro=SUSE%20Manager%20Server%20Module%204.2pkg:rpm/suse/spacewalk-certs-tools&distro=SUSE%20Manager%20Server%20Module%204.2pkg:rpm/suse/spacewalk-client-tools&distro=SUSE%20Manager%20Server%20Module%204.2pkg:rpm/suse/spacewalk-config&distro=SUSE%20Manager%20Server%20Module%204.2pkg:rpm/suse/spacewalk-java&distro=SUSE%20Manager%20Server%20Module%204.1pkg:rpm/suse/spacewalk-java&distro=SUSE%20Manager%20Server%20Module%204.2pkg:rpm/suse/spacewalk-web&distro=SUSE%20Manager%20Server%20Module%204.1pkg:rpm/suse/spacewalk-web&distro=SUSE%20Manager%20Server%20Module%204.2pkg:rpm/suse/subscription-matcher&distro=SUSE%20Manager%20Server%20Module%204.2pkg:rpm/suse/supportutils-plugin-susemanager&distro=SUSE%20Manager%20Server%20Module%204.2pkg:rpm/suse/susemanager&distro=SUSE%20Manager%20Server%20Module%204.1pkg:rpm/suse/susemanager&distro=SUSE%20Manager%20Server%20Module%204.2pkg:rpm/suse/susemanager-doc-indexes&distro=SUSE%20Manager%20Server%20Module%204.1pkg:rpm/suse/susemanager-doc-indexes&distro=SUSE%20Manager%20Server%20Module%204.2pkg:rpm/suse/susemanager-docs_en&distro=SUSE%20Manager%20Server%20Module%204.1pkg:rpm/suse/susemanager-docs_en&distro=SUSE%20Manager%20Server%20Module%204.2pkg:rpm/suse/susemanager-schema&distro=SUSE%20Manager%20Server%20Module%204.1pkg:rpm/suse/susemanager-schema&distro=SUSE%20Manager%20Server%20Module%204.2pkg:rpm/suse/susemanager-sls&distro=SUSE%20Manager%20Server%20Module%204.1pkg:rpm/suse/susemanager-sls&distro=SUSE%20Manager%20Server%20Module%204.2pkg:rpm/suse/suseRegisterInfo&distro=SUSE%20Manager%20Server%20Module%204.2pkg:rpm/suse/virtualization-formulas&distro=SUSE%20Manager%20Server%20Module%204.2
< 0.9.5.4+ 44 more
- (no CPE)range: < 0.9.5.4
- (no CPE)range: < 0.9.5.5-2.1
- (no CPE)range: < 0.9.5.5-3.3.2
- (no CPE)range: < 0.9.5.5-150300.4.6.1
- (no CPE)range: < 0.1.1641480250.d5bd14c-3.3.2
- (no CPE)range: < 0.7.0-150300.3.6.1
- (no CPE)range: < 0.7-3.9.2
- (no CPE)range: < 0.7-150300.3.6.1
- (no CPE)range: < 0.1.0-150300.8.12.1
- (no CPE)range: < 4.2.8-150300.2.9.1
- (no CPE)range: < 4.2.5-150300.2.9.1
- (no CPE)range: < 4.2-150300.4.9.1
- (no CPE)range: < 1.2.0-150300.3.9.1
- (no CPE)range: < 0.4.6-3.6.2
- (no CPE)range: < 0.4.6-150300.4.3.1
- (no CPE)range: < 3000.3-6.21.2
- (no CPE)range: < 4.2.6-150300.4.9.1
- (no CPE)range: < 0.1.1645440615.7f1328c-150300.3.9.1
- (no CPE)range: < 1.7.10-0.150300.3.3.1
- (no CPE)range: < 4.1.17-4.36.2
- (no CPE)range: < 4.2.16-150300.4.18.1
- (no CPE)range: < 4.2.10-150300.3.9.1
- (no CPE)range: < 4.2.20-150300.4.18.1
- (no CPE)range: < 4.2.13-150300.3.9.1
- (no CPE)range: < 4.2.15-150300.3.15.1
- (no CPE)range: < 4.2.18-150300.4.18.1
- (no CPE)range: < 4.2.6-150300.3.6.1
- (no CPE)range: < 4.1.44-3.66.2
- (no CPE)range: < 4.2.34-150300.3.26.2
- (no CPE)range: < 4.1.32-3.42.2
- (no CPE)range: < 4.2.26-150300.3.18.2
- (no CPE)range: < 0.29-150300.6.6.1
- (no CPE)range: < 4.2.4-150300.3.6.1
- (no CPE)range: < 4.1.33-3.45.2
- (no CPE)range: < 4.2.28-150300.3.22.1
- (no CPE)range: < 4.1-11.52.2
- (no CPE)range: < 4.2-150300.12.22.1
- (no CPE)range: < 4.1-11.52.2
- (no CPE)range: < 4.2-150300.12.22.1
- (no CPE)range: < 4.1.25-3.42.2
- (no CPE)range: < 4.2.21-150300.3.18.1
- (no CPE)range: < 4.1.34-3.59.2
- (no CPE)range: < 4.2.21-150300.3.20.1
- (no CPE)range: < 4.2.6-150300.4.9.1
- (no CPE)range: < 0.6.2-150300.8.6.1
Patches
Vulnerability mechanics
References
12- github.com/advisories/GHSA-84p2-vf58-xhxvghsaADVISORY
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BFIVX6HOVNLAM7W3SUAMHYRNLCVQSAWR/mitrevendor-advisoryx_refsource_FEDORA
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MQ47OFV57Y2DAHMGA5H3JOL4WHRWRFN4/mitrevendor-advisoryx_refsource_FEDORA
- nvd.nist.gov/vuln/detail/CVE-2019-5427ghsaADVISORY
- hackerone.com/reports/509315ghsax_refsource_MISCWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BFIVX6HOVNLAM7W3SUAMHYRNLCVQSAWRghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MQ47OFV57Y2DAHMGA5H3JOL4WHRWRFN4ghsaWEB
- www.oracle.com/security-alerts/cpuapr2020.htmlghsax_refsource_MISCWEB
- www.oracle.com/security-alerts/cpujan2021.htmlghsax_refsource_MISCWEB
- www.oracle.com/security-alerts/cpujul2020.htmlghsax_refsource_MISCWEB
- www.oracle.com/security-alerts/cpuoct2020.htmlghsax_refsource_MISCWEB
- www.oracle.com/security-alerts/cpuoct2021.htmlghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.