Advisories for Maven/Com.mchange/C3p0 package

2019

Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')

c3p0 version < 0.9.5.4 may be exploited by a billion laughs attack when loading XML configuration due to missing protections against recursive entity expansion when loading configuration.

Improper Restriction of XML External Entity Reference

c3p0 0.9.5.2 allows XXE in extractXmlConfigFromInputStream in com/mchange/v2/c3p0/cfg/C3P0ConfigXmlUtils.java during initialization.