// For flags

CVE-2019-5427

c3p0: loading XML configuration leads to denial of service

Severity Score

7.5
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

2
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

c3p0 version < 0.9.5.4 may be exploited by a billion laughs attack when loading XML configuration due to missing protections against recursive entity expansion when loading configuration.

En c3p0 versiones <0.9.5.4, puede ser explotada por un ataque de tipo a billion laughs al cargar la configuración XML producto de la falta de protecciones faltantes contra la expansión recursiva de la entidad al cargar la configuración.

This release of Red Hat Fuse 7.6.0 serves as a replacement for Red Hat Fuse 7.5, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References. Issues addressed include code execution, cross site scripting, denial of service, deserialization, and information leakage vulnerabilities.

*Credits: N/A
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High
Attack Vector
Local
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High
Attack Vector
Network
Attack Complexity
Low
Authentication
None
Confidentiality
None
Integrity
None
Availability
Partial
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2019-01-04 CVE Reserved
  • 2019-04-22 CVE Published
  • 2020-12-13 First Exploit
  • 2024-08-04 CVE Updated
  • 2025-04-03 EPSS Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
CWE
  • CWE-776: Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Mchange
Search vendor "Mchange"
 C3p0
Search vendor "Mchange" for product "C3p0"
 < 0.9.5.2
Search vendor "Mchange" for product "C3p0" and version " < 0.9.5.2"
-
Affected
Fedoraproject
Search vendor "Fedoraproject"
 Fedora
Search vendor "Fedoraproject" for product "Fedora"
 29
Search vendor "Fedoraproject" for product "Fedora" and version "29"
-
Affected
Fedoraproject
Search vendor "Fedoraproject"
 Fedora
Search vendor "Fedoraproject" for product "Fedora"
 30
Search vendor "Fedoraproject" for product "Fedora" and version "30"
-
Affected
Oracle
Search vendor "Oracle"
 Communications Ip Service Activator
Search vendor "Oracle" for product "Communications Ip Service Activator"
 7.3.0
Search vendor "Oracle" for product "Communications Ip Service Activator" and version "7.3.0"
-
Affected
Oracle
Search vendor "Oracle"
 Communications Ip Service Activator
Search vendor "Oracle" for product "Communications Ip Service Activator"
 7.4.0
Search vendor "Oracle" for product "Communications Ip Service Activator" and version "7.4.0"
-
Affected
Oracle
Search vendor "Oracle"
 Communications Session Route Manager
Search vendor "Oracle" for product "Communications Session Route Manager"
 >= 8.2.0 <= 8.2.2
Search vendor "Oracle" for product "Communications Session Route Manager" and version " >= 8.2.0 <= 8.2.2"
-
Affected
Oracle
Search vendor "Oracle"
 Documaker
Search vendor "Oracle" for product "Documaker"
 >= 12.6.0 <= 12.6.6
Search vendor "Oracle" for product "Documaker" and version " >= 12.6.0 <= 12.6.6"
-
Affected
Oracle
Search vendor "Oracle"
 Enterprise Manager Base Platform
Search vendor "Oracle" for product "Enterprise Manager Base Platform"
 13.2.1.0
Search vendor "Oracle" for product "Enterprise Manager Base Platform" and version "13.2.1.0"
-
Affected
Oracle
Search vendor "Oracle"
 Enterprise Manager Ops Center
Search vendor "Oracle" for product "Enterprise Manager Ops Center"
 12.4.0.0
Search vendor "Oracle" for product "Enterprise Manager Ops Center" and version "12.4.0.0"
-
Affected
Oracle
Search vendor "Oracle"
 Flexcube Private Banking
Search vendor "Oracle" for product "Flexcube Private Banking"
 12.0.0
Search vendor "Oracle" for product "Flexcube Private Banking" and version "12.0.0"
-
Affected
Oracle
Search vendor "Oracle"
 Flexcube Private Banking
Search vendor "Oracle" for product "Flexcube Private Banking"
 12.1.0
Search vendor "Oracle" for product "Flexcube Private Banking" and version "12.1.0"
-
Affected
Oracle
Search vendor "Oracle"
 Hyperion Infrastructure Technology
Search vendor "Oracle" for product "Hyperion Infrastructure Technology"
 11.1.2.4
Search vendor "Oracle" for product "Hyperion Infrastructure Technology" and version "11.1.2.4"
-
Affected
Oracle
Search vendor "Oracle"
 Retail Xstore Point Of Service
Search vendor "Oracle" for product "Retail Xstore Point Of Service"
 15.0
Search vendor "Oracle" for product "Retail Xstore Point Of Service" and version "15.0"
-
Affected
Oracle
Search vendor "Oracle"
 Retail Xstore Point Of Service
Search vendor "Oracle" for product "Retail Xstore Point Of Service"
 16.0
Search vendor "Oracle" for product "Retail Xstore Point Of Service" and version "16.0"
-
Affected
Oracle
Search vendor "Oracle"
 Retail Xstore Point Of Service
Search vendor "Oracle" for product "Retail Xstore Point Of Service"
 17.0
Search vendor "Oracle" for product "Retail Xstore Point Of Service" and version "17.0"
-
Affected
Oracle
Search vendor "Oracle"
 Retail Xstore Point Of Service
Search vendor "Oracle" for product "Retail Xstore Point Of Service"
 18.0
Search vendor "Oracle" for product "Retail Xstore Point Of Service" and version "18.0"
-
Affected
Oracle
Search vendor "Oracle"
 Retail Xstore Point Of Service
Search vendor "Oracle" for product "Retail Xstore Point Of Service"
 19.0
Search vendor "Oracle" for product "Retail Xstore Point Of Service" and version "19.0"
-
Affected
Oracle
Search vendor "Oracle"
 Webcenter Sites
Search vendor "Oracle" for product "Webcenter Sites"
 12.2.1.3.0
Search vendor "Oracle" for product "Webcenter Sites" and version "12.2.1.3.0"
-
Affected
Oracle
Search vendor "Oracle"
 Webcenter Sites
Search vendor "Oracle" for product "Webcenter Sites"
 12.2.1.4.0
Search vendor "Oracle" for product "Webcenter Sites" and version "12.2.1.4.0"
-
Affected