CVE-2019-5442

Exploit

EPSS 0.33%
Veröffentlicht 12.06.2019 16:29:00
Zuletzt bearbeitet 21.11.2024 04:44:56
Quelle support@hackerone.com
CVE-Watchlists
Login
Unerledigt
Login

XML Entity Expansion (Billion Laughs Attack) on Pippo 1.12.0 results in Denial of Service.Entities are created recursively and large amounts of heap memory is taken. Eventually, the JVM process will run out of memory. Otherwise, if the OS does not bound the memory on that process, memory will continue to be exhausted and will affect other processes on the system.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 4

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Pippo ≫ Pippo Version1.12.0

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.33%	0.533

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	7.5	3.9	3.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
nvd@nist.gov	5	10	2.9	AV:N/AC:L/Au:N/C:N/I:N/A:P

CWE-776 Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')

The product uses XML documents and allows their structure to be defined with a Document Type Definition (DTD), but it does not properly control the number of recursive definitions of entities.

https://hackerone.com/reports/506791

Third Party Advisory

Exploit

https://nvd.nist.gov/vuln/detail/CVE-2019-5442

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2019-5442

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2019-5442

EUVD