108 matches found
MGASA-2020-0051 Updated c3p0 packages fix security vulnerabilities
An XML external entity processing vulnerability was found in extractXmlConfigFromInputStream function in c3p0 CVE-2018-20433. c3p0 version 0.9.5.4 may be exploited by a billion laughs attack when loading XML configuration due to missing protections against recursive entity expansion when loading...
kubernetes: YAML parsing vulnerable to "Billion Laughs" attack, allowing for remote denial of service
A flaw was found kubernetes. The parsing of YAML manifests by the Kubernetes API server could lead to a denial-of-service attack leaving it vulnerable to an instance of a "billion laughs" attack. The highest threat from this vulnerability is to system availability...
RHEL 7 : OpenShift Container Platform 3.10 atomic-openshift (RHSA-2019:3239)
The remote Redhat Enterprise Linux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2019:3239 advisory. Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or privat...
XML Entity Expansion
go-yaml is vulnerable to a Billion Laughs Attack...
High severity vulnerability that affects PeterO.Cbor
Impact The CBOR library supports optional tags that enable CBOR objects to contain references to objects within them. Versions earlier than 4.0 resolved those references automatically. While this by itself doesn't cause much of a security problem, a denial of service can happen if those reference...
XML Entity Expansion (XEE)
c3p0 is vulnerable to XML entity expansion XEE. Missing protections against recursive entity expansion when loading configuration allows remote attackers to exploit the billion laughs attack by loading malicious XML configurations...
GHSA-HWCX-9P4J-7HWJ XML Entity Expansion in Pippo
XML Entity Expansion Billion Laughs Attack on Pippo 1.12.0 results in Denial of Service.Entities are created recursively and large amounts of heap memory is taken. Eventually, the JVM process will run out of memory. Otherwise, if the OS does not bound the memory on that process, memory will...
Input validation
XML Entity Expansion Billion Laughs Attack on Pippo 1.12.0 results in Denial of Service.Entities are created recursively and large amounts of heap memory is taken. Eventually, the JVM process will run out of memory. Otherwise, if the OS does not bound the memory on that process, memory will...
CVE-2019-5442
XML Entity Expansion Billion Laughs Attack on Pippo 1.12.0 results in Denial of Service.Entities are created recursively and large amounts of heap memory is taken. Eventually, the JVM process will run out of memory. Otherwise, if the OS does not bound the memory on that process, memory will...
CVE-2019-5442
XML Entity Expansion Billion Laughs Attack on Pippo 1.12.0 results in Denial of Service.Entities are created recursively and large amounts of heap memory is taken. Eventually, the JVM process will run out of memory. Otherwise, if the OS does not bound the memory on that process, memory will...
CVE-2019-5442
CVE-2019-5442 describes an XML Entity Expansion (Billion Laughs) vulnerability in Pippo 1.12.0 where untrusted XML parsing can trigger recursive entities via a DTD, causing DoS through excessive heap memory consumption and potential JVM memory exhaustion. Connected records confirm Pippo 1.12.0 as...
CVE-2019-5427
c3p0 version 0.9.5.4 may be exploited by a billion laughs attack when loading XML configuration due to missing protections against recursive entity expansion when loading configuration...
Billion laughs attack in c3p0
c3p0 version 0.9.5.4 may be exploited by a billion laughs attack when loading XML configuration due to missing protections against recursive entity expansion when loading configuration...
Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')
c3p0 version 0.9.5.4 may be exploited by a billion laughs attack when loading XML configuration due to missing protections against recursive entity expansion when loading configuration...
UBUNTU-CVE-2019-5427
c3p0 version 0.9.5.4 may be exploited by a billion laughs attack when loading XML configuration due to missing protections against recursive entity expansion when loading configuration...
Design/Logic Flaw
c3p0 version 0.9.5.4 may be exploited by a billion laughs attack when loading XML configuration due to missing protections against recursive entity expansion when loading configuration...
CVE-2019-5427
c3p0 version 0.9.5.4 may be exploited by a billion laughs attack when loading XML configuration due to missing protections against recursive entity expansion when loading configuration...
CVE-2019-5427
CVE-2019-5427 affects c3p0, where versions older than 0.9.5.4 are vulnerable to a billion laughs (XML entity expansion) attack when loading XML configuration due to missing protections against recursive entity expansion. Public sources in connected documents confirm the issue exists in c3p0
Starbucks: SQL Injection Extracts Starbucks Enterprise Accounting, Financial, Payroll Database
As described in the Hacker Summary, @spaceraccoon discovered a SQL Injection vulnerability in a web service backed by Microsoft Dynamics AX. @spaceraccoon demonstrated that the flaw was exploitable via XML-formatted HTTP payload requests to the server. We appreciate @spaceraccoon's clear and...
Central Security Project: c3p0 may be exploited by a Billion Laughs Attack when loading XML configuration
NOTE! Thanks for submitting a report! Please replace all the square sections below with the pertinent details. Remember, the more detail you provide, the easier it is for us to triage and respond quickly, so be sure to take your time filling out the report! Please refer to the example on our poli...