What the vulnerability does

01Description

c3p0 version < 0.9.5.4 may be exploited by a billion laughs attack when loading XML configuration due to missing protections against recursive entity expansion when loading configuration.

Key dates

02Disclosure timeline

April 22, 2019 CVE published
August 4, 2024 Record updated