Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLWh3Y3gtOXA0ai03aHdq
XML Entity Expansion in Pippo
XML Entity Expansion (Billion Laughs Attack) on Pippo 1.12.0 results in Denial of Service.Entities are created recursively and large amounts of heap memory is taken. Eventually, the JVM process will run out of memory. Otherwise, if the OS does not bound the memory on that process, memory will continue to be exhausted and will affect other processes on the system.
Permalink: https://github.com/advisories/GHSA-hwcx-9p4j-7hwjJSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLWh3Y3gtOXA0ai03aHdq
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: over 5 years ago
Updated: almost 2 years ago
CVSS Score: 7.5
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Percentage: 0.00115
EPSS Percentile: 0.46508
Identifiers: GHSA-hwcx-9p4j-7hwj, CVE-2019-5442
References:
- https://nvd.nist.gov/vuln/detail/CVE-2019-5442
- https://hackerone.com/reports/506791
- https://github.com/advisories/GHSA-hwcx-9p4j-7hwj
Affected Packages
maven:ro.pippo:pippo-jaxb
Dependent packages: 1Dependent repositories: 1
Downloads:
Affected Version Ranges: <= 1.12.0
No known fixed version
All affected versions: 0.6.0, 0.6.1, 0.7.0, 0.8.0, 0.9.0, 0.9.1, 0.10.0, 1.0.0, 1.1.0, 1.2.0, 1.3.0, 1.4.0, 1.5.0, 1.6.0, 1.7.0, 1.8.0, 1.9.0, 1.10.0, 1.11.0, 1.12.0