CVE-2018-20433

CRITICAL

Mchange C3p0 < 0.9.5.3 - XXE

Title source: rule

Description

c3p0 0.9.5.2 allows XXE in extractXmlConfigFromInputStream in com/mchange/v2/c3p0/cfg/C3P0ConfigXmlUtils.java during initialization.

Exploits (1)

nomisec STUB

by shanika04 · poc

https://github.com/shanika04/cp30_XXE_partial_fix

View Code ZIP pw:eip

References (4)

[Patch, Third Party Advisory] https://github.com/zhutougg/c3p0/commit/2eb0ea97f745740b18dd45e4a909112d4685f87b

[Mailing List, Third Party Advisory] https://lists.debian.org/debian-lts-announce/2018/12/msg00021.html

[Mailing List, Third Party Advisory] https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BFIVX6HOVNLAM7W3SUAMHYRNLCVQSAWR/

[Mailing List, Third Party Advisory] https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MQ47OFV57Y2DAHMGA5H3JOL4WHRWRFN4/

Scores

CVSS v3 9.8

EPSS 0.0240

EPSS Percentile 85.1%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-611

Status published

Products (3)

com.mchange/c3p0 0 - 0.9.5.3Maven

debian/debian_linux 8.0

mchange/c3p0 0.9.5.2

Published Dec 24, 2018

Tracked Since Feb 18, 2026