Lucene search

[email protected]NVD:CVE-2019-5427

HistoryApr 22, 2019 - 9:29 p.m.

CVE-2019-5427

2019-04-2221:29:00

CWE-776

[email protected]

web.nvd.nist.gov

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:N/I:N/A:P

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

AI Score

7.5

Confidence

High

EPSS

0.023

Percentile

89.8%

JSON

c3p0 version < 0.9.5.4 may be exploited by a billion laughs attack when loading XML configuration due to missing protections against recursive entity expansion when loading configuration.

Affected configurations

Nvd

Node

mchangec3p0Range<0.9.5.2

Node

fedoraprojectfedoraMatch29

fedoraprojectfedoraMatch30

Node

oraclecommunications_ip_service_activatorMatch7.3.0

oraclecommunications_ip_service_activatorMatch7.4.0

oraclecommunications_session_route_managerRange8.2.0–8.2.2

oracledocumakerRange12.6.0–12.6.6

oracleenterprise_manager_base_platformMatch13.2.1.0

oracleenterprise_manager_ops_centerMatch12.4.0.0

oracleflexcube_private_bankingMatch12.0.0

oracleflexcube_private_bankingMatch12.1.0

oraclehyperion_infrastructure_technologyMatch11.1.2.4

oracleretail_xstore_point_of_serviceMatch15.0

oracleretail_xstore_point_of_serviceMatch16.0

oracleretail_xstore_point_of_serviceMatch17.0

oracleretail_xstore_point_of_serviceMatch18.0

oracleretail_xstore_point_of_serviceMatch19.0

oraclewebcenter_sitesMatch12.2.1.3.0

oraclewebcenter_sitesMatch12.2.1.4.0

VendorProductVersionCPE
mchangec3p0*cpe:2.3:a:mchange:c3p0:*:*:*:*:*:*:*:*
fedoraprojectfedora29cpe:2.3:o:fedoraproject:fedora:29:*:*:*:*:*:*:*
fedoraprojectfedora30cpe:2.3:o:fedoraproject:fedora:30:*:*:*:*:*:*:*
oraclecommunications_ip_service_activator7.3.0cpe:2.3:a:oracle:communications_ip_service_activator:7.3.0:*:*:*:*:*:*:*
oraclecommunications_ip_service_activator7.4.0cpe:2.3:a:oracle:communications_ip_service_activator:7.4.0:*:*:*:*:*:*:*
oraclecommunications_session_route_manager*cpe:2.3:a:oracle:communications_session_route_manager:*:*:*:*:*:*:*:*
oracledocumaker*cpe:2.3:a:oracle:documaker:*:*:*:*:*:*:*:*
oracleenterprise_manager_base_platform13.2.1.0cpe:2.3:a:oracle:enterprise_manager_base_platform:13.2.1.0:*:*:*:*:*:*:*
oracleenterprise_manager_ops_center12.4.0.0cpe:2.3:a:oracle:enterprise_manager_ops_center:12.4.0.0:*:*:*:*:*:*:*
oracleflexcube_private_banking12.0.0cpe:2.3:a:oracle:flexcube_private_banking:12.0.0:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
mchange	c3p0	*	cpe:2.3:a:mchange:c3p0::::::::
fedoraproject	fedora	29	cpe:2.3:o:fedoraproject:fedora:29:::::::*
fedoraproject	fedora	30	cpe:2.3:o:fedoraproject:fedora:30:::::::*
oracle	communications_ip_service_activator	7.3.0	cpe:2.3:a:oracle:communications_ip_service_activator:7.3.0:::::::*
oracle	communications_ip_service_activator	7.4.0	cpe:2.3:a:oracle:communications_ip_service_activator:7.4.0:::::::*
oracle	communications_session_route_manager	*	cpe:2.3:a:oracle:communications_session_route_manager::::::::
oracle	documaker	*	cpe:2.3:a:oracle:documaker::::::::
oracle	enterprise_manager_base_platform	13.2.1.0	cpe:2.3:a:oracle:enterprise_manager_base_platform:13.2.1.0:::::::*
oracle	enterprise_manager_ops_center	12.4.0.0	cpe:2.3:a:oracle:enterprise_manager_ops_center:12.4.0.0:::::::*
oracle	flexcube_private_banking	12.0.0	cpe:2.3:a:oracle:flexcube_private_banking:12.0.0:::::::*