CVE-2019-5427: Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')

April 23, 2019 (updated October 21, 2021)

c3p0 version < 0.9.5.4 may be exploited by a billion laughs attack when loading XML configuration due to missing protections against recursive entity expansion when loading configuration.

References

github.com/advisories/GHSA-84p2-vf58-xhxv
nvd.nist.gov/vuln/detail/CVE-2019-5427

Code Behaviors & Features

Detect and mitigate CVE-2019-5427 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →