Homepage
About Snyk

com.mchange:c3p0@0.9.5-pre5 vulnerabilities

Go back to all versions of this package
Report a new vulnerability Found a mistake?

Direct Vulnerabilities

Known vulnerabilities in the com.mchange:c3p0 package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.
Fix for free
Vulnerability Vulnerable Version
  • C
XML External Entity (XXE) Injection

com.mchange:c3p0 is a mature, highly concurrent JDBC Connection pooling library, with support for caching and reuse of PreparedStatements.

Affected versions of this package are vulnerable to XML External Entity (XXE) Injection via the extractXmlConfigFromInputStream in com/mchange/v2/c3p0/cfg/C3P0ConfigXmlUtils.java during initialization.

How to fix XML External Entity (XXE) Injection?

Upgrade com.mchange:c3p0 to version 0.9.5.3 or higher.

[,0.9.5.3)
  • H
Denial of Service (DoS)

com.mchange:c3p0 is a mature, highly concurrent JDBC Connection pooling library, with support for caching and reuse of PreparedStatements.

Affected versions of this package are vulnerable to Denial of Service (DoS) due to missing protections against recursive entity expansion when loading XML configurations.

How to fix Denial of Service (DoS)?

Upgrade com.mchange:c3p0 to version 0.9.5.4 or higher.

[,0.9.5.4)
Go back to all versions of this package