Vulnerabilities > CVE-2019-5442 - XML Entity Expansion vulnerability in Pippo 1.12.0

CVSS 5.0 - MEDIUM

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

NONE

Integrity impact

NONE

Availability impact

PARTIAL

network

low complexity

pippo

CWE-776

NVD

Published: 2019-06-12

Updated: 2020-10-16

Summary

XML Entity Expansion (Billion Laughs Attack) on Pippo 1.12.0 results in Denial of Service.Entities are created recursively and large amounts of heap memory is taken. Eventually, the JVM process will run out of memory. Otherwise, if the OS does not bound the memory on that process, memory will continue to be exhausted and will affect other processes on the system.

Vulnerable Configurations

Part	Description	Count
Application	Pippo Pippo Pippo 1.12.0	1

Common Weakness Enumeration (CWE)

CWE-776 - Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')

References

https://hackerone.com/reports/506791