CVE-2019-5442

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2019-5442

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2019-5442.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2019-5442

Aliases

GHSA-hwcx-9p4j-7hwj

Published

2019-06-12T16:29:00Z

Modified

2025-01-14T08:03:58.052258Z

Severity

7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator

Summary

[none]

Details

XML Entity Expansion (Billion Laughs Attack) on Pippo 1.12.0 results in Denial of Service.Entities are created recursively and large amounts of heap memory is taken. Eventually, the JVM process will run out of memory. Otherwise, if the OS does not bound the memory on that process, memory will continue to be exhausted and will affect other processes on the system.

References

https://hackerone.com/reports/506791

Affected packages

Git / github.com/pippo-java/pippo

Affected ranges

Type: GIT
Repo: https://github.com/pippo-java/pippo
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Last affected

7da9f4db945d10113cf4ea4ed44ba0f1a7f83a8f

Affected versions

pippo-parent-0.*

pippo-parent-0.1.0

pippo-parent-0.2.0

pippo-parent-0.3.0

pippo-parent-0.4.0

release-0.*

release-0.10.0

release-0.4.1

release-0.4.2

release-0.5.0

release-0.6.0

release-0.6.1

release-0.7.0

release-0.8.0

release-0.9.0

release-0.9.1

release-1.*

release-1.0.0

release-1.1.0

release-1.10.0

release-1.11.0

release-1.12.0

release-1.2.0

release-1.3.0

release-1.4.0

release-1.5.0

release-1.6.0

release-1.7.0

release-1.8.0

release-1.9.0