Vulnerability	Vulnerable Version
C XML External Entity (XXE) Injection com.mchange:c3p0 is a mature, highly concurrent JDBC Connection pooling library, with support for caching and reuse of PreparedStatements. Affected versions of this package are vulnerable to XML External Entity (XXE) Injection via the `extractXmlConfigFromInputStream` in `com/mchange/v2/c3p0/cfg/C3P0ConfigXmlUtils.java` during initialization. How to fix XML External Entity (XXE) Injection? Upgrade `com.mchange:c3p0` to version 0.9.5.3 or higher.	[,0.9.5.3)
H Denial of Service (DoS) com.mchange:c3p0 is a mature, highly concurrent JDBC Connection pooling library, with support for caching and reuse of PreparedStatements. Affected versions of this package are vulnerable to Denial of Service (DoS) due to missing protections against recursive entity expansion when loading XML configurations. How to fix Denial of Service (DoS)? Upgrade `com.mchange:c3p0` to version 0.9.5.4 or higher.	[,0.9.5.4)

XML External Entity (XXE) Injection

com.mchange:c3p0 is a mature, highly concurrent JDBC Connection pooling library, with support for caching and reuse of PreparedStatements.

Affected versions of this package are vulnerable to XML External Entity (XXE) Injection via the extractXmlConfigFromInputStream in com/mchange/v2/c3p0/cfg/C3P0ConfigXmlUtils.java during initialization.

How to fix XML External Entity (XXE) Injection?

Upgrade com.mchange:c3p0 to version 0.9.5.3 or higher.

[,0.9.5.3)

Denial of Service (DoS)

com.mchange:c3p0 is a mature, highly concurrent JDBC Connection pooling library, with support for caching and reuse of PreparedStatements.

Affected versions of this package are vulnerable to Denial of Service (DoS) due to missing protections against recursive entity expansion when loading XML configurations.

How to fix Denial of Service (DoS)?

Upgrade com.mchange:c3p0 to version 0.9.5.4 or higher.

[,0.9.5.4)

Go back to all versions of this package