CVE-2019-5427 — Vulnetix

Try Vulnetix Request Demo

CVE-2019-5427 PUBLISHED

c3p0 version < 0.9.5.4 may be exploited by a billion laughs attack when loading XML configuration due to missing protections against recursive entity expansion when loading configuration.

EPSS 3.91% · 88.2th percentile

Risk Scores

EPSS Score

3.91%

88.2th percentile

Affected Products

Vendor	Product	Versions
Ubuntu:24.04:LTS	c3p0	0
Ubuntu:22.04:LTS	c3p0	0.9.1.2-10, 0
Ubuntu:Pro:16.04:LTS	c3p0	0.9.1.2-9+deb8u1build0.16.04.1, 0, 0.9.1.2-9
Ubuntu:Pro:14.04:LTS	c3p0	0, 0.9.1.2-7, 0.9.1.2-9
Ubuntu:20.04:LTS	c3p0	0, 0.9.1.2-10
Ubuntu:18.04:LTS	c3p0	0.9.1.2-9+deb8u1build0.18.04.1, 0.9.1.2-9, 0

Timeline

CVE Published
Apr 16, 2019 PoC Published
Apr 14, 2021 EPSS Score
Feb 4, 2022 EPSS Score
Mar 7, 2023 EPSS Score
Nov 8, 2023 EPSS Score
Oct 22, 2024 EPSS Score
Mar 19, 2025 EPSS Score
Mar 22, 2025 EPSS Score
Mar 26, 2025 EPSS Score
Mar 28, 2025 EPSS Score
Mar 29, 2025 EPSS Score

References

https://ubuntu.com/security/CVE-2019-5427 third-party-advisory
https://hackerone.com/reports/509315 third-party-advisory
https://ubuntu.com/security/notices/USN-5293-1 vendor-advisory
https://ubuntu.com/security/notices/USN-5293-2 vendor-advisory
https://www.cve.org/CVERecord?id=CVE-2019-5427 third-party-advisory
https://ubuntu.com/security/notices/USN-7571-1 vendor-advisory

Open in Interactive Console →