{"id":"CVE-2018-20433","details":"c3p0 0.9.5.2 allows XXE in extractXmlConfigFromInputStream in com/mchange/v2/c3p0/cfg/C3P0ConfigXmlUtils.java during initialization.","aliases":["GHSA-q485-j897-qc27"],"modified":"2026-04-16T04:37:34.563357099Z","published":"2018-12-24T13:29:00.210Z","related":["SUSE-SU-2022:0798-1","SUSE-SU-2022:1397-1","openSUSE-SU-2024:10669-1"],"references":[{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MQ47OFV57Y2DAHMGA5H3JOL4WHRWRFN4/"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BFIVX6HOVNLAM7W3SUAMHYRNLCVQSAWR/"},{"type":"ADVISORY","url":"https://lists.debian.org/debian-lts-announce/2018/12/msg00021.html"},{"type":"FIX","url":"https://github.com/zhutougg/c3p0/commit/2eb0ea97f745740b18dd45e4a909112d4685f87b"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/zhutougg/c3p0","events":[{"introduced":"0"},{"last_affected":"9f97c814aef31b2997d6ecfad1e3875c6136317b"},{"fixed":"2eb0ea97f745740b18dd45e4a909112d4685f87b"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"0.9.5.2"}]}}],"versions":["c3p0-0.9.2","c3p0-0.9.2-pre2-RELEASE","c3p0-0.9.2-pre3","c3p0-0.9.2-pre4","c3p0-0.9.2-pre6","c3p0-0.9.2-pre7","c3p0-0.9.2-pre8","c3p0-0.9.5","c3p0-0.9.5-pre1","c3p0-0.9.5-pre10","c3p0-0.9.5-pre2","c3p0-0.9.5-pre3","c3p0-0.9.5-pre4","c3p0-0.9.5-pre5","c3p0-0.9.5-pre6","c3p0-0.9.5-pre7","c3p0-0.9.5-pre8","c3p0-0.9.5-pre9","c3p0-0.9.5.1","c3p0-0.9.5.2"],"database_specific":{"unresolved_ranges":[{"events":[{"introduced":"0"},{"last_affected":"8.0"}]}],"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2018-20433.json","vanir_signatures":[{"id":"CVE-2018-20433-5da07470","target":{"file":"src/java/com/mchange/v2/c3p0/cfg/C3P0ConfigXmlUtils.java","function":"extractXmlConfigFromInputStream"},"source":"https://github.com/zhutougg/c3p0/commit/2eb0ea97f745740b18dd45e4a909112d4685f87b","deprecated":false,"signature_type":"Function","digest":{"function_hash":"285633924274454538166616215983368224587","length":184},"signature_version":"v1"},{"id":"CVE-2018-20433-7052ecb0","target":{"file":"src/java/com/mchange/v2/c3p0/cfg/C3P0ConfigXmlUtils.java"},"source":"https://github.com/zhutougg/c3p0/commit/2eb0ea97f745740b18dd45e4a909112d4685f87b","deprecated":false,"signature_type":"Line","digest":{"threshold":0.9,"line_hashes":["189690253779608637118636279419339185924","203546079303241071003653587684751722518","82634546918609591678268069562506055393","1203531496525078502927178182878650541"]},"signature_version":"v1"}],"vanir_signatures_modified":"2026-04-11T11:39:48Z"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}]}