CVE-2019-5427 XML configuration DoS vulnerability in c3p0 

Issue date: 01-07-2019
Affects versions: 13.1, 13.0, 12.6, 11.2

Issue ID: SECURITY-110


Affected Product Version(s)
11.2.13, 12.6.3, 13.0.2, 13.1.1 (and previous patch releases)





c3p0 version < may be exploited by a billion laughs attack when loading XML configuration due to missing protections against recursive entity expansion when loading configuration.

This vulnerability is classified with severity high. Although default usage of this library within the Bloomreach Experience Manager product is not vulnerable, project specific usages of this third-party code within a customer project may be vulnerable.

As the affected third-party library is not used in Bloomreach Experience Manager the dependency has been removed from the product.



Every customer is strongly advised to upgrade as soon as possible to the latest maintenance release as indicated above, or higher. This can be done by simply incrementing the version number of the parent POM for the implementation project.