Skip to content

Security Vulnerability - Action Required: XXE vulnerability in the newest version of the jar com.hubspot:SingularityService.jar #2311

Description

@Crispy-fried-chicken

Hi there,
I may have discovered a method in the newest version of com.hubspot:SingularityService.jar, which has XXE vulnerability. The vulnerability is located in the method com.mchange.v2.c3p0.cfg.C3P0ConfigXmlUtils.extractXmlConfigFromInputStream(InputStream is) . The vulnerability bears similarities to a recent CVE disclosure CVE-2018-20433 in the "zhutougg/c3p0" project.
The source vulnerability information is as follows:

Vulnerability Detail:

CVE Identifier: CVE-2018-20433

Description: c3p0 0.9.5.2 allows XXE in extractXmlConfigFromInputStream in com/mchange/v2/c3p0/cfg/C3P0ConfigXmlUtils.java during initialization.

Reference: https://nvd.nist.gov/vuln/detail/CVE-2018-20433

Patch: zhutougg/c3p0@2eb0ea9

Affected versions: <= 0.9.5.2

Maybe the c3p0 that the project depends on is a vulnerable version?

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions