CVE-2019-5427

Published: Apr 22, 2019Modified: Sep 5, 2025

7.5

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Exploitability: 3.9 / Impact: 3.6

Source: NVD

Description

c3p0 version < 0.9.5.4 may be exploited by a billion laughs attack when loading XML configuration due to missing protections against recursive entity expansion when loading configuration.

Affected Products (11)

CPE details will appear after the next data sync.

1 product

1 product

9 products

Communications Ip Service Activator

Communications Session Route Manager

Documaker

Enterprise Manager Base Platform

Enterprise Manager Ops Center

Flexcube Private Banking

Hyperion Infrastructure Technology

Retail Xstore Point Of Service

Webcenter Sites

References (16)

https://hackerone.com/reports/509315

Source: support@hackerone.com

ExploitIssue TrackingPatchThird Party Advisory

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BFIVX6HOVNLAM7W3SUAMHYRNLCVQSAWR/

Source: support@hackerone.com

Third Party Advisory

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MQ47OFV57Y2DAHMGA5H3JOL4WHRWRFN4/

Source: support@hackerone.com

Third Party Advisory

https://www.oracle.com/security-alerts/cpuapr2020.html

Source: support@hackerone.com

Third Party Advisory

https://www.oracle.com/security-alerts/cpujan2021.html

Source: support@hackerone.com

Third Party Advisory

https://www.oracle.com/security-alerts/cpujul2020.html

Source: support@hackerone.com

Third Party Advisory

https://www.oracle.com/security-alerts/cpuoct2020.html

Source: support@hackerone.com

Third Party Advisory

https://www.oracle.com/security-alerts/cpuoct2021.html

Source: support@hackerone.com

Third Party Advisory

https://hackerone.com/reports/509315