venusdrogon
commented
5 years ago | CVE-2018-20433 DetailCurrent Descriptionc3p0 0.9.5.2 allows XXE in extractXmlConfigFromInputStream in com/mchange/v2/c3p0/cfg/C3P0ConfigXmlUtils.java during initialization.Source: MITRE Description Last Modified: 12/24/2018 View Analysis DescriptionImpactCVSS v3.0 Severity and Metrics:Base Score: 9.8 CRITICAL Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H (V3 legend) Impact Score: 5.9 Exploitability Score: 3.9Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None Scope (S): Unchanged Confidentiality (C): High Integrity (I): High Availability (A): HighCVSS v2.0 Severity and Metrics:Base Score: 7.5 HIGH Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:P) (V2 legend) Impact Subscore: 6.4 Exploitability Subscore: 10.0Access Vector (AV): Network Access Complexity (AC): Low Authentication (AU): None Confidentiality (C): Partial Integrity (I): Partial Availability (A): Partial Additional Information: Allows unauthorized disclosure of informationAllows unauthorized modificationAllows disruption of serviceReferences to Advisories, Solutions, and ToolsBy selecting these links, you will be leaving NIST webspace. We have provided these links to other web sites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other web sites that are more appropriate for your purpose. NIST does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, NIST does not endorse any commercial products that may be mentioned on these sites. Please address comments about this page to nvd@nist.gov.HyperlinkResourcehttps://github.com/zhutougg/c3p0/commit/2eb0ea97f745740b18dd45e4a909112d4685f87bPatch Third Party Advisoryhttps://lists.debian.org/debian-lts-announce/2018/12/msg00021.htmlMailing ListThird Party AdvisoryTechnical DetailsVulnerability Type (View All)Improper Restriction of XML External Entity Reference ('XXE') (CWE-611)Known Affected Software Configurations Switch to CPE 2.2Configuration 1 ( hide ) cpe:2.3:a:mchange:c3p0:0.9.5.2::::::: Show Matching CPE(s) Configuration 2 ( hide ) cpe:2.3:o:debian:debian_linux:8.0::::::: Show Matching CPE(s) | Hyperlink | Resource | https://github.com/zhutougg/c3p0/commit/2eb0ea97f745740b18dd45e4a909112d4685f87b | Patch Third Party Advisory | https://lists.debian.org/debian-lts-announce/2018/12/msg00021.html | Mailing ListThird Party Advisory | cpe:2.3:a:mchange:c3p0:0.9.5.2:::::::* Show Matching CPE(s) | cpe:2.3:o:debian:debian_linux:8.0:::::::* Show Matching CPE(s) |
|---|
https://github.com/zhutougg/c3p0/commit/2eb0ea97f745740b18dd45e4a909112d4685f87b | Patch Third Party Advisory https://lists.debian.org/debian-lts-announce/2018/12/msg00021.html | Mailing ListThird Party Advisory cpe:2.3:a:mchange:c3p0:0.9.5.2::::::: Show Matching CPE(s) cpe:2.3:o:debian:debian_linux:8.0::::::: Show Matching CPE(s)
升级 c3p0
https://nvd.nist.gov/vuln/detail/CVE-2018-20433