*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
c3p0 is an easy-to-use library for augmenting traditional (DriverManager-based) JDBC drivers with JNDI-bindable DataSources,
including DataSources that implement Connection and Statement Pooling, as described by the jdbc3 spec and jdbc2 std extension.
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2019-5427
### Vulnerable Library - c3p0-0.9.1.1.jar
c3p0 is an easy-to-use library for augmenting traditional (DriverManager-based) JDBC drivers with JNDI-bindable DataSources,
including DataSources that implement Connection and Statement Pooling, as described by the jdbc3 spec and jdbc2 std extension.
c3p0 version < 0.9.5.4 may be exploited by a billion laughs attack when loading XML configuration due to missing protections against recursive entity expansion when loading configuration.
Vulnerable Library - quartz-2.2.3.jar
Enterprise Job Scheduler
Library home page: http://www.quartz-scheduler.org
Path to dependency file: /webapp/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/quartz-scheduler/quartz/2.2.3/quartz-2.2.3.jar
Found in HEAD commit: 012e83ee9b10e35eced839f51b8019c57f33234b
Vulnerabilities
Reachable
Reachable
Reachable
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2018-20433
### Vulnerable Library - c3p0-0.9.1.1.jarc3p0 is an easy-to-use library for augmenting traditional (DriverManager-based) JDBC drivers with JNDI-bindable DataSources, including DataSources that implement Connection and Statement Pooling, as described by the jdbc3 spec and jdbc2 std extension.
Library home page: http://c3p0.sourceforge.net
Path to dependency file: /webapp/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/c3p0/c3p0/0.9.1.1/c3p0-0.9.1.1.jar
Dependency Hierarchy: - quartz-2.2.3.jar (Root Library) - :x: **c3p0-0.9.1.1.jar** (Vulnerable Library)
Found in HEAD commit: 012e83ee9b10e35eced839f51b8019c57f33234b
Found in base branch: main
### Reachability Analysis This vulnerability is potentially reachable ``` com.box.l10n.mojito.quartz.QuartzSchedulerConfig (Application) -> org.springframework.scheduling.quartz.SchedulerFactoryBean (Extension) -> org.quartz.impl.StdSchedulerFactory (Extension) -> com.mchange.v2.c3p0.ComboPooledDataSource (Extension) ... -> com.mchange.v2.c3p0.cfg.C3P0Config (Extension) -> com.mchange.v2.c3p0.cfg.DefaultC3P0ConfigFinder (Extension) -> ❌ com.mchange.v2.c3p0.cfg.C3P0ConfigXmlUtils (Vulnerable Component) ``` ### Vulnerability Detailsc3p0 0.9.5.2 allows XXE in extractXmlConfigFromInputStream in com/mchange/v2/c3p0/cfg/C3P0ConfigXmlUtils.java during initialization.
Publish Date: 2018-12-24
URL: CVE-2018-20433
### Threat AssessmentExploit Maturity: Not Defined
EPSS: 0.6%
### CVSS 4 Score Details (9.3)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: N/A - Impact Metrics: - Confidentiality Impact: N/A - Integrity Impact: N/A - Availability Impact: N/A
For more information on CVSS4 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20433
Release Date: 2018-12-24
Fix Resolution: 0.9.5.3
CVE-2019-13990
### Vulnerable Library - quartz-2.2.3.jarEnterprise Job Scheduler
Library home page: http://www.quartz-scheduler.org
Path to dependency file: /webapp/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/quartz-scheduler/quartz/2.2.3/quartz-2.2.3.jar
Dependency Hierarchy: - :x: **quartz-2.2.3.jar** (Vulnerable Library)
Found in HEAD commit: 012e83ee9b10e35eced839f51b8019c57f33234b
Found in base branch: main
### Reachability Analysis This vulnerability is potentially reachable ``` com.box.l10n.mojito.quartz.QuartzSchedulerConfig (Application) -> org.springframework.scheduling.quartz.SchedulerFactoryBean (Extension) -> org.springframework.scheduling.quartz.SchedulerAccessor (Extension) -> ❌ org.quartz.xml.XMLSchedulingDataProcessor (Vulnerable Component) ``` ### Vulnerability DetailsinitDocumentParser in xml/XMLSchedulingDataProcessor.java in Terracotta Quartz Scheduler through 2.3.0 allows XXE attacks via a job description.
Publish Date: 2019-07-26
URL: CVE-2019-13990
### Threat AssessmentExploit Maturity: Not Defined
EPSS: 0.8%
### CVSS 4 Score Details (9.2)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: N/A - Impact Metrics: - Confidentiality Impact: N/A - Integrity Impact: N/A - Availability Impact: N/A
For more information on CVSS4 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2019-13990
Release Date: 2019-07-26
Fix Resolution: 2.3.2
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.CVE-2019-5427
### Vulnerable Library - c3p0-0.9.1.1.jarc3p0 is an easy-to-use library for augmenting traditional (DriverManager-based) JDBC drivers with JNDI-bindable DataSources, including DataSources that implement Connection and Statement Pooling, as described by the jdbc3 spec and jdbc2 std extension.
Library home page: http://c3p0.sourceforge.net
Path to dependency file: /webapp/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/c3p0/c3p0/0.9.1.1/c3p0-0.9.1.1.jar
Dependency Hierarchy: - quartz-2.2.3.jar (Root Library) - :x: **c3p0-0.9.1.1.jar** (Vulnerable Library)
Found in HEAD commit: 012e83ee9b10e35eced839f51b8019c57f33234b
Found in base branch: main
### Reachability Analysis This vulnerability is potentially reachable ``` com.box.l10n.mojito.quartz.QuartzSchedulerConfig (Application) -> org.springframework.scheduling.quartz.SchedulerFactoryBean (Extension) -> org.quartz.impl.StdSchedulerFactory (Extension) -> com.mchange.v2.c3p0.ComboPooledDataSource (Extension) ... -> com.mchange.v2.c3p0.cfg.C3P0Config (Extension) -> com.mchange.v2.c3p0.cfg.DefaultC3P0ConfigFinder (Extension) -> ❌ com.mchange.v2.c3p0.cfg.C3P0ConfigXmlUtils (Vulnerable Component) ``` ### Vulnerability Detailsc3p0 version < 0.9.5.4 may be exploited by a billion laughs attack when loading XML configuration due to missing protections against recursive entity expansion when loading configuration.
Publish Date: 2019-04-22
URL: CVE-2019-5427
### Threat AssessmentExploit Maturity: Not Defined
EPSS: 2.3%
### CVSS 4 Score Details (8.2)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: N/A - Impact Metrics: - Confidentiality Impact: N/A - Integrity Impact: N/A - Availability Impact: N/A
For more information on CVSS4 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5427
Release Date: 2019-04-22
Fix Resolution: com.mchange:c3p0:0.9.5.4
:rescue_worker_helmet:Automatic Remediation will be attempted for this issue.