PT-2018-15374 · Mchange+1 · C3P0+1

Zhutougg

Published

2018-12-24

Updated

2024-06-15

CVE-2018-20433

CVSS v3.1

9.8

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions c3p0 version 0.9.5.2

Description The issue allows XXE (XML External Entity) attacks in the extractXmlConfigFromInputStream function within com/mchange/v2/c3p0/cfg/C3P0ConfigXmlUtils.java during the initialization process.

Recommendations For c3p0 version 0.9.5.2, consider disabling the extractXmlConfigFromInputStream function as a temporary workaround until a patch is available. Restrict access to the C3P0ConfigXmlUtils class to minimize the risk of exploitation. Avoid using external XML entities in the configuration until the issue is resolved.

Fix

XXE

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-611

Related Identifiers

CVE-2018-20433

DLA-1621-1

GHSA-Q485-J897-QC27

MGASA-2020-0051

OPENSUSE-SU-2024:10669-1

SUSE-SU-2022:0798-1

SUSE-SU-2022:1397-1

Affected Products

Suse

C3P0

PT-2018-15374 · Mchange+1 · C3P0+1

CVE-2018-20433

Weakness Enumeration

Related Identifiers

Affected Products

References · 71