CVE-2019-5427
First published: Wed Apr 17 2019(Updated: )
c3p0 version < 0.9.5.4 may be exploited by a billion laughs attack when loading XML configuration due to missing protections against recursive entity expansion when loading configuration. References: <a href="https://hackerone.com/reports/509315">https://hackerone.com/reports/509315</a> <a href="http://www.cvedetails.com/cve/CVE-2019-5427/">http://www.cvedetails.com/cve/CVE-2019-5427/</a> Upstream commit: <a href="https://github.com/swaldman/c3p0/commit/f38f27635c384806c2a9d6500d80183d9f09d78b">https://github.com/swaldman/c3p0/commit/f38f27635c384806c2a9d6500d80183d9f09d78b</a>
Credit: support@hackerone.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Mchange C3p0 | <0.9.5.2 | |
| Fedoraproject Fedora | =29 | |
| Fedoraproject Fedora | =30 | |
| Oracle Communications Ip Service Activator | =7.3.0 | |
| Oracle Communications Ip Service Activator | =7.4.0 | |
| Oracle Communications Session Route Manager | >=8.2.0<=8.2.2 | |
| Oracle Documaker | >=12.6.0<=12.6.6 | |
| Oracle Enterprise Manager Base Platform | =13.2.1.0 | |
| Oracle Enterprise Manager Ops Center | =12.4.0.0 | |
| Oracle FLEXCUBE Private Banking | =12.0.0 | |
| Oracle FLEXCUBE Private Banking | =12.1.0 | |
| Oracle Hyperion Infrastructure Technology | =11.1.2.4 | |
| Oracle Retail Xstore Point of Service | =15.0 | |
| Oracle Retail Xstore Point of Service | =16.0 | |
| Oracle Retail Xstore Point of Service | =17.0 | |
| Oracle Retail Xstore Point of Service | =18.0 | |
| Oracle Retail Xstore Point of Service | =19.0 | |
| Oracle WebCenter Sites | =12.2.1.3.0 | |
| Oracle WebCenter Sites | =12.2.1.4.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://www.cve.org/CVERecord?id=CVE-2019-5427 https://nvd.nist.gov/vuln/detail/CVE-2019-5427
- https://bugzilla.redhat.com/show_bug.cgi?id=1709860
- https://access.redhat.com/errata/RHSA-2020:0983
- https://access.redhat.com/security/cve/cve-2019-5427
- https://hackerone.com/reports/509315
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BFIVX6HOVNLAM7W3SUAMHYRNLCVQSAWR/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MQ47OFV57Y2DAHMGA5H3JOL4WHRWRFN4/
- https://www.oracle.com/security-alerts/cpuapr2020.html
- https://www.oracle.com/security-alerts/cpujan2021.html
- https://www.oracle.com/security-alerts/cpujul2020.html
- https://www.oracle.com/security-alerts/cpuoct2020.html
- https://www.oracle.com/security-alerts/cpuoct2021.html
- http://www.cvedetails.com/cve/CVE-2019-5427/
- https://github.com/swaldman/c3p0/commit/f38f27635c384806c2a9d6500d80183d9f09d78b
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1709862
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1709861
- https://access.redhat.com/support/policy/updates/jboss_notes
- https://access.redhat.com/support/policy/updates/rhmap
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BFIVX6HOVNLAM7W3SUAMHYRNLCVQSAWR/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MQ47OFV57Y2DAHMGA5H3JOL4WHRWRFN4/
Frequently Asked Questions
What is CVE-2019-5427?
CVE-2019-5427 refers to a vulnerability in c3p0 version < 0.9.5.4 that can be exploited by a billion laughs attack when loading XML configuration.
How severe is CVE-2019-5427?
CVE-2019-5427 has a severity value of 7.5, which is considered high.
Which software versions are affected by CVE-2019-5427?
c3p0 versions prior to 0.9.5.4 are affected by CVE-2019-5427.
What is the remedy for CVE-2019-5427?
To fix CVE-2019-5427, update c3p0 to version 0.9.5.4 or later.
Where can I find more information about CVE-2019-5427?
More information about CVE-2019-5427 can be found at the following references: 1. HackerOne report: https://hackerone.com/reports/509315 2. CVE Details: http://www.cvedetails.com/cve/CVE-2019-5427/ 3. GitHub commit: https://github.com/swaldman/c3p0/commit/f38f27635c384806c2a9d6500d80183d9f09d78b
- collector/redhat-cve
- collector/nvd-index
- agent/type
- agent/first-publish-date
- agent/last-modified-date
- agent/softwarecombine
- agent/severity
- agent/references
- agent/weakness
- agent/author
- agent/remedy
- agent/description
- agent/event
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2019-5427
- agent/software-canonical-lookup
- agent/tags
- collector/mitre-cve
- source/MITRE
- vendor/mchange
- canonical/mchange c3p0
- vendor/fedoraproject
- canonical/fedoraproject fedora
- version/fedoraproject fedora/29
- version/fedoraproject fedora/30
- vendor/oracle
- canonical/oracle communications ip service activator
- version/oracle communications ip service activator/7.3.0
- version/oracle communications ip service activator/7.4.0
- canonical/oracle communications session route manager
- version/oracle communications session route manager/8.2.0
- version/oracle communications session route manager/8.2.2
- canonical/oracle documaker
- version/oracle documaker/12.6.0
- version/oracle documaker/12.6.6
- canonical/oracle enterprise manager base platform
- version/oracle enterprise manager base platform/13.2.1.0
- canonical/oracle enterprise manager ops center
- version/oracle enterprise manager ops center/12.4.0.0
- canonical/oracle flexcube private banking
- version/oracle flexcube private banking/12.0.0
- version/oracle flexcube private banking/12.1.0
- canonical/oracle hyperion infrastructure technology
- version/oracle hyperion infrastructure technology/11.1.2.4
- canonical/oracle retail xstore point of service
- version/oracle retail xstore point of service/15.0
- version/oracle retail xstore point of service/16.0
- version/oracle retail xstore point of service/17.0
- version/oracle retail xstore point of service/18.0
- version/oracle retail xstore point of service/19.0
- canonical/oracle webcenter sites
- version/oracle webcenter sites/12.2.1.3.0
- version/oracle webcenter sites/12.2.1.4.0
- package-manager/redhat