VYPR
← All advisories
Critical severityNVD Advisory· Published Dec 24, 2018· Updated Aug 5, 2024

CVE-2018-20433

CVE-2018-20433

Description

c3p0 0.9.5.2 allows XXE in extractXmlConfigFromInputStream in com/mchange/v2/c3p0/cfg/C3P0ConfigXmlUtils.java during initialization.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

c3p0 0.9.5.2 is vulnerable to XML External Entity (XXE) injection during initialization, allowing attackers to read sensitive files or perform SSRF.

Vulnerability

The vulnerability resides in the extractXmlConfigFromInputStream method within com/mchange/v2/c3p0/cfg/C3P0ConfigXmlUtils.java. c3p0 versions up to and including 0.9.5.2 do not disable external entity resolution when parsing XML configuration files during initialization, leading to an XML External Entity (XXE) flaw [1][2].

Exploitation

An attacker must supply a malicious XML configuration file to the c3p0 library, typically by placing it in a location where c3p0 loads its configuration (e.g., classpath or system property). No special authentication or privileges are required if the attacker can control the configuration source. The XXE occurs when the extractXmlConfigFromInputStream method processes the crafted XML [1][2].

Impact

Successful exploitation enables an attacker to read arbitrary files from the server’s filesystem (e.g., via file:// entities) or conduct server-side request forgery (SSRF) attacks using external HTTP entities. This can result in sensitive information disclosure or internal network reconnaissance [1][2].

Mitigation

Upgrade to c3p0 version 0.9.5.3 or later, which disables external entity processing by default [2]. If an upgrade is not immediately possible, avoid loading XML configurations from untrusted sources. No workaround is provided for versions below 0.9.5.3. This vulnerability is not listed in CISA’s Known Exploited Vulnerabilities (KEV) catalog.

References
  1. NVD - CVE-2018-20433
  2. CVE-2018-20433 - GitHub Advisory Database

AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
com.mchange:c3p0Maven
< 0.9.5.30.9.5.3

Affected products

45

Patches

1
2eb0ea97f745

Repair XXE vulnerability at initialization

https://github.com/zhutougg/c3p0zhutouggDec 20, 2018via ghsa
commit
1 file changed · +1 0
  • src/java/com/mchange/v2/c3p0/cfg/C3P0ConfigXmlUtils.java+1 0 modified
    @@ -144,6 +144,7 @@ public static C3P0Config extractXmlConfigFromDefaultResource() throws Exception
     public static C3P0Config extractXmlConfigFromInputStream(InputStream is) throws Exception
     {
         DocumentBuilderFactory fact = DocumentBuilderFactory.newInstance();
+	fact.setExpandEntityReferences(false);
         DocumentBuilder db = fact.newDocumentBuilder();
         Document doc = db.parse( is );

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

8

News mentions

0

No linked articles in our index yet.