CVE-2018-20433

CRITICAL

Mchange C3p0 < 0.9.5.3 - XXE

Title source: rule
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2018-20433. PoCs published by shanika04.

AI-analyzed exploit summary This repository appears to be a partial fix or development snapshot for CVE-2019-5427, an XXE vulnerability in c3p0. The provided files are source code and documentation, but no exploit PoC or offensive techniques are present.

Description

c3p0 0.9.5.2 allows XXE in extractXmlConfigFromInputStream in com/mchange/v2/c3p0/cfg/C3P0ConfigXmlUtils.java during initialization.

Exploits (1)

nomisec STUB
by shanika04 · poc
https://github.com/shanika04/cp30_XXE_partial_fix

This repository appears to be a partial fix or development snapshot for CVE-2019-5427, an XXE vulnerability in c3p0. The provided files are source code and documentation, but no exploit PoC or offensive techniques are present.

Classification
Stub 90%
Attack Type
Other
Complexity
Moderate
Reliability
Theoretical
Target: c3p0 (JDBC Connection pooling library)
No auth needed
Prerequisites: Access to a vulnerable c3p0 version
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (4)

Core 4

Scores

CVSS v3 9.8
EPSS 0.0240
EPSS Percentile 85.5%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-611
Status published
Products (3)
com.mchange/c3p0 0 - 0.9.5.3Maven
debian/debian_linux 8.0
mchange/c3p0 0.9.5.2
Published Dec 24, 2018
Tracked Since Feb 18, 2026