com.mchange:c3p0 0.9.5-pre10 vulnerabilities

Direct Vulnerabilities

Known vulnerabilities in the com.mchange:c3p0 package. This does not include vulnerabilities belonging to this package’s dependencies.

Fix vulnerabilities automatically

Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

Fix for free

Vulnerability	Vulnerable Version
H Deserialization of Untrusted Data com.mchange:c3p0 is a mature, highly concurrent JDBC Connection pooling library, with support for caching and reuse of PreparedStatements. Affected versions of this package are vulnerable to Deserialization of Untrusted Data via the `userOverridesAsString` property of `ConnectionPoolDataSource` class. An attacker can achieve arbitrary code execution by supplying maliciously crafted serialized objects or `javax.naming.Reference` instances that trigger unsafe deserialization and remote code loading. How to fix Deserialization of Untrusted Data? Upgrade `com.mchange:c3p0` to version 0.12.0 or higher.	[,0.12.0)
C XML External Entity (XXE) Injection com.mchange:c3p0 is a mature, highly concurrent JDBC Connection pooling library, with support for caching and reuse of PreparedStatements. Affected versions of this package are vulnerable to XML External Entity (XXE) Injection via the `extractXmlConfigFromInputStream` in `com/mchange/v2/c3p0/cfg/C3P0ConfigXmlUtils.java` during initialization. How to fix XML External Entity (XXE) Injection? Upgrade `com.mchange:c3p0` to version 0.9.5.3 or higher.	[,0.9.5.3)
H Denial of Service (DoS) com.mchange:c3p0 is a mature, highly concurrent JDBC Connection pooling library, with support for caching and reuse of PreparedStatements. Affected versions of this package are vulnerable to Denial of Service (DoS) due to missing protections against recursive entity expansion when loading XML configurations. How to fix Denial of Service (DoS)? Upgrade `com.mchange:c3p0` to version 0.9.5.4 or higher.	[,0.9.5.4)

Vulnerability

Vulnerable Version

Deserialization of Untrusted Data

com.mchange:c3p0 is a mature, highly concurrent JDBC Connection pooling library, with support for caching and reuse of PreparedStatements.

Affected versions of this package are vulnerable to Deserialization of Untrusted Data via the userOverridesAsString property of ConnectionPoolDataSource class. An attacker can achieve arbitrary code execution by supplying maliciously crafted serialized objects or javax.naming.Reference instances that trigger unsafe deserialization and remote code loading.

How to fix Deserialization of Untrusted Data?

Upgrade com.mchange:c3p0 to version 0.12.0 or higher.

[,0.12.0)

XML External Entity (XXE) Injection

com.mchange:c3p0 is a mature, highly concurrent JDBC Connection pooling library, with support for caching and reuse of PreparedStatements.

Affected versions of this package are vulnerable to XML External Entity (XXE) Injection via the extractXmlConfigFromInputStream in com/mchange/v2/c3p0/cfg/C3P0ConfigXmlUtils.java during initialization.

How to fix XML External Entity (XXE) Injection?

Upgrade com.mchange:c3p0 to version 0.9.5.3 or higher.

[,0.9.5.3)

Denial of Service (DoS)

com.mchange:c3p0 is a mature, highly concurrent JDBC Connection pooling library, with support for caching and reuse of PreparedStatements.

Affected versions of this package are vulnerable to Denial of Service (DoS) due to missing protections against recursive entity expansion when loading XML configurations.

How to fix Denial of Service (DoS)?

Upgrade com.mchange:c3p0 to version 0.9.5.4 or higher.

[,0.9.5.4)

com.mchange:c3p0@0.9.5-pre10 vulnerabilities

latest version

latest non vulnerable version

first published

latest version published

licenses detected

package registry

Direct Vulnerabilities

Fix vulnerabilities automatically