CVE-2018-20433

NONE EPSS 90.5%
Published Dec 24, 20187y ago ยท Modified Jun 17, 20262w ago
Find Similar
Published Dec 24, 2018 7y ago
Last Modified Jun 17, 2026 2w ago

Description

c3p0 0.9.5.2 allows XXE in extractXmlConfigFromInputStream in com/mchange/v2/c3p0/cfg/C3P0ConfigXmlUtils.java during initialization.

Threat Intelligence

EPSS Exploit Probability
90.5% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Weaknesses 1

CWE-611

Affected Products 2

VendorProductVersionRange
mchangec3p00.9.5.2any
debiandebian_linux8.0any

References 4

  • github.com https://github.com/zhutougg/c3p0/commit/2eb0ea97f745740b18dd45e4a909112d4685f87b
    PatchThird Party Advisory
  • lists.debian.org https://lists.debian.org/debian-lts-announce/2018/12/msg00021.html
    Mailing ListThird Party Advisory
  • lists.fedoraproject.org https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BFIVX6HOVNLAM7W3SUAMHYRNLCVQSAWR/
  • lists.fedoraproject.org https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MQ47OFV57Y2DAHMGA5H3JOL4WHRWRFN4/

Remediation

  • github.com https://github.com/zhutougg/c3p0/commit/2eb0ea97f745740b18dd45e4a909112d4685f87b
    PatchThird Party Advisory