CVE-2018-20433
NONE EPSS 90.5%
Published Dec 24, 20187y ago ยท Modified Jun 17, 20262w ago
Published Dec 24, 2018 7y ago
Last Modified Jun 17, 2026 2w ago
Description
c3p0 0.9.5.2 allows XXE in extractXmlConfigFromInputStream in com/mchange/v2/c3p0/cfg/C3P0ConfigXmlUtils.java during initialization.
Threat Intelligence
EPSS Exploit Probability
90.5% percentile
Exploit & Patch Status
No Known Exploit
Patch Available
Weaknesses 1
CWE-611
Affected Products 2
References 4
- github.com https://github.com/zhutougg/c3p0/commit/2eb0ea97f745740b18dd45e4a909112d4685f87b
- lists.debian.org https://lists.debian.org/debian-lts-announce/2018/12/msg00021.html
- lists.fedoraproject.org https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BFIVX6HOVNLAM7W3SUAMHYRNLCVQSAWR/
- lists.fedoraproject.org https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MQ47OFV57Y2DAHMGA5H3JOL4WHRWRFN4/
Remediation
- github.com https://github.com/zhutougg/c3p0/commit/2eb0ea97f745740b18dd45e4a909112d4685f87b