[NMS-10694] CVE-2018-20433: XXE Vulnerability in c3p0 < 0.9.5.3 - The OpenNMS Issue Tracker

XML

Word

Printable

Details

Type: Bug
Status: Resolved (View Workflow)
Priority: Major
Resolution: Fixed
Affects Version/s: Meridian-2018.1.7, 24.0.0
Fix Version/s: Meridian-2016.1.21, Meridian-2017.1.17, Meridian-2018.1.8, 24.1.0
Component/s: Build / Packaging
Security Level: Default (Default Security Scheme)
Labels:
None

Sprint:
Horizon 2019 - 19

Description

From GitHub's vulnerability scanner:

CVE-2018-20433 More information

moderate severity
Vulnerable versions: <= 0.9.5.2
Patched version: 0.9.5.3
c3p0 0.9.5.2 allows XXE in extractXmlConfigFromInputStream in com/mchange/v2/c3p0/cfg/C3P0ConfigXmlUtils.java during initialization.

Attachments

Activity

People

Assignee:: Benjamin Reed

Reporter:: Will Keaney

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 10/May/19 2:46 PM

Updated:: 23/May/19 8:11 PM

Resolved:: 14/May/19 2:29 PM