Details
-
Type:
Bug
-
Status: Resolved (View Workflow)
-
Priority:
Major
-
Resolution: Fixed
-
Affects Version/s: Meridian-2018.1.7, 24.0.0
-
Fix Version/s: Meridian-2016.1.21, Meridian-2017.1.17, Meridian-2018.1.8, 24.1.0
-
Component/s: Build / Packaging
-
Security Level: Default (Default Security Scheme)
-
Labels:None
-
Sprint:Horizon 2019 - 19
Description
From GitHub's vulnerability scanner:
CVE-2018-20433 More information
moderate severity
Vulnerable versions: <= 0.9.5.2
Patched version: 0.9.5.3
c3p0 0.9.5.2 allows XXE in extractXmlConfigFromInputStream in com/mchange/v2/c3p0/cfg/C3P0ConfigXmlUtils.java during initialization.
