CVE-2018-20433 — Vulnetix

Try Vulnetix Request Demo

CVE-2018-20433 PUBLISHED

c3p0 0.9.5.2 allows XXE in extractXmlConfigFromInputStream in com/mchange/v2/c3p0/cfg/C3P0ConfigXmlUtils.java during initialization.

EPSS 2.40% · 84.9th percentile

Risk Scores

EPSS Score

2.40%

84.9th percentile

Affected Products

Vendor	Product	Versions
Ubuntu:14.04:LTS	c3p0	0, 0.9.1.2-7, 0.9.1.2-9
Ubuntu:16.04:LTS	c3p0	0, 0.9.1.2-9
Ubuntu:18.04:LTS	c3p0	0, 0.9.1.2-9

Timeline

CVE Published
Apr 16, 2019 PoC Published
Apr 14, 2021 EPSS Score
Mar 17, 2025 EPSS Score
Mar 20, 2025 EPSS Score
Mar 22, 2025 EPSS Score
Mar 24, 2025 EPSS Score
Mar 25, 2025 EPSS Score
Mar 28, 2025 EPSS Score
Mar 29, 2025 EPSS Score
Apr 4, 2025 EPSS Score
Apr 6, 2025 EPSS Score

References

https://ubuntu.com/security/CVE-2018-20433 third-party-advisory
https://github.com/zhutougg/c3p0/commit/2eb0ea97f745740b18dd45e4a909112d4685f87b third-party-advisory
https://www.cve.org/CVERecord?id=CVE-2018-20433 third-party-advisory

Open in Interactive Console →