CVSS: 7.5EPSS: 1%CPEs: 19EXPL: 2CVE-2019-5427 – c3p0: loading XML configuration leads to denial of service
https://notcve.org/view.php?id=CVE-2019-5427
22 Apr 2019 — c3p0 version < 0.9.5.4 may be exploited by a billion laughs attack when loading XML configuration due to missing protections against recursive entity expansion when loading configuration. En c3p0 versiones <0.9.5.4, puede ser explotada por un ataque de tipo a billion laughs al cargar la configuración XML producto de la falta de protecciones faltantes contra la expansión recursiva de la entidad al cargar la configuración. This release of Red Hat Fuse 7.6.0 serves as a replacement for Red Hat Fuse 7.5, and in... • https://github.com/shanika04/cp30_XXE_partial_fix • CWE-776: Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion') •
CVSS: 9.8EPSS: 4%CPEs: 2EXPL: 1CVE-2018-20433
https://notcve.org/view.php?id=CVE-2018-20433
24 Dec 2018 — c3p0 0.9.5.2 allows XXE in extractXmlConfigFromInputStream in com/mchange/v2/c3p0/cfg/C3P0ConfigXmlUtils.java during initialization. c3p0 0.9.5.2 permite XEE (XML External Entity) en extractXmlConfigFromInputStream en com/mchange/v2/c3p0/cfg/C3P0ConfigXmlUtils.java durante la inicialización. • https://github.com/shanika04/cp30_XXE_partial_fix • CWE-611: Improper Restriction of XML External Entity Reference •