Candidate: CVE-2018-20433
PublicDate: 2018-12-24 13:29:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20433
 https://github.com/zhutougg/c3p0/commit/2eb0ea97f745740b18dd45e4a909112d4685f87b
Description:
 c3p0 0.9.5.2 allows XXE in extractXmlConfigFromInputStream in
 com/mchange/v2/c3p0/cfg/C3P0ConfigXmlUtils.java during initialization.
Ubuntu-Description:
 It was discovered that c3p0 has a XML External Entity (XXE) vulnerability
 that can be used to provoke a crash or leak sensitive information outside
 of the intended sphere of control.
Notes:
Bugs:
 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=917257
Priority: untriaged
Discovered-by:
Assigned-to:
CVSS:
 nvd: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H [9.8 CRITICAL]


Patches_c3p0:
upstream_c3p0: released (0.9.1.2-9+deb8u1, 0.9.1.2-10)
precise/esm_c3p0: DNE
trusty_c3p0: released (0.9.1.2-9+deb8u1build0.14.04.1)
trusty/esm_c3p0: DNE (trusty was released [0.9.1.2-9+deb8u1build0.14.04.1])
xenial_c3p0: released (0.9.1.2-9+deb8u1build0.16.04.1)
bionic_c3p0: released (0.9.1.2-9+deb8u1build0.18.04.1)
cosmic_c3p0: released (0.9.1.2-9+deb8u1build0.18.10.1)
devel_c3p0: not-affected (0.9.1.2-1)