CVE-2019-5427

c3p0 version < 0.9.5.4 may be exploited by a billion laughs attack when loading XML configuration due to missing protections against recursive entity expansion when loading configuration.

Weakness

The product uses XML documents and allows their structure to be defined with a Document Type Definition (DTD), but it does not properly control the number of recursive definitions of entities.

Affected Software

Name	Vendor	Start Version	End Version
C3p0	Mchange	*	0.9.5.4 (excluding)
Red Hat Fuse 7.6.0	RedHat	c3p0	*
C3p0	Ubuntu	bionic	*
C3p0	Ubuntu	cosmic	*
C3p0	Ubuntu	devel	*
C3p0	Ubuntu	disco	*
C3p0	Ubuntu	eoan	*
C3p0	Ubuntu	esm-apps/bionic	*
C3p0	Ubuntu	esm-apps/focal	*
C3p0	Ubuntu	esm-apps/jammy	*
C3p0	Ubuntu	esm-apps/noble	*
C3p0	Ubuntu	esm-apps/xenial	*
C3p0	Ubuntu	esm-infra-legacy/trusty	*
C3p0	Ubuntu	focal	*
C3p0	Ubuntu	groovy	*
C3p0	Ubuntu	hirsute	*
C3p0	Ubuntu	impish	*
C3p0	Ubuntu	jammy	*
C3p0	Ubuntu	kinetic	*
C3p0	Ubuntu	lunar	*
C3p0	Ubuntu	mantic	*
C3p0	Ubuntu	noble	*
C3p0	Ubuntu	oracular	*
C3p0	Ubuntu	plucky	*
C3p0	Ubuntu	trusty	*
C3p0	Ubuntu	trusty/esm	*
C3p0	Ubuntu	upstream	*
C3p0	Ubuntu	xenial	*

Potential Mitigations

https://cwe.mitre.org/data/definitions/197.html

NVD	https://nvd.nist.gov/vuln/detail/CVE-2019-5427
CWE	https://cwe.mitre.org/data/definitions/776.html

Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')

Weakness

Affected Software

Potential Mitigations

References

CVE-2019-5427

Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')

Weakness

Affected Software

Potential Mitigations

Related Attack Patterns

References