Описание
c3p0 0.9.5.2 allows XXE in extractXmlConfigFromInputStream in com/mchange/v2/c3p0/cfg/C3P0ConfigXmlUtils.java during initialization.
Отчет
Red Hat Satellite 6 is not vulnerable to this issue, because the candlepin component who uses the c3p0 jar never passes a XML configuration file to c3p0, even though it includes a vulnerable version of the latter. Since this issue requires a XML files to be loaded by c3p0, an exploitation path doesn't exist.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat BPM Suite 6 | c3p0 | Out of support scope | ||
| Red Hat Decision Manager 7 | c3p0 | Not affected | ||
| Red Hat Fuse 7 | c3p0 | Will not fix | ||
| Red Hat JBoss BRMS 5 | c3p0 | Out of support scope | ||
| Red Hat JBoss Data Grid 7 | c3p0 | Not affected | ||
| Red Hat JBoss Data Virtualization 6 | c3p0 | Out of support scope | ||
| Red Hat JBoss Enterprise Application Platform 5 | c3p0 | Out of support scope | ||
| Red Hat JBoss Enterprise Web Server 2 | c3p0 | Out of support scope | ||
| Red Hat JBoss Fuse 6 | c3p0 | Out of support scope | ||
| Red Hat JBoss SOA Platform 5 | c3p0 | Out of support scope |
Показывать по
Дополнительная информация
Статус:
EPSS
7.3 High
CVSS3
Связанные уязвимости
c3p0 0.9.5.2 allows XXE in extractXmlConfigFromInputStream in com/mchange/v2/c3p0/cfg/C3P0ConfigXmlUtils.java during initialization.
c3p0 0.9.5.2 allows XXE in extractXmlConfigFromInputStream in com/mchange/v2/c3p0/cfg/C3P0ConfigXmlUtils.java during initialization.
c3p0 0.9.5.2 allows XXE in extractXmlConfigFromInputStream in com/mcha ...
EPSS
7.3 High
CVSS3