Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Security Vulnerability - Action Required: XXE vulnerability in the newest version of the jar com.hubspot:SingularityService.jar #2311

Open
Crispy-fried-chicken opened this issue Aug 23, 2023 · 0 comments
Open

Security Vulnerability - Action Required: XXE vulnerability in the newest version of the jar com.hubspot:SingularityService.jar #2311

Crispy-fried-chicken opened this issue Aug 23, 2023 · 0 comments

Comments

@Crispy-fried-chicken
Copy link

Crispy-fried-chicken commented Aug 23, 2023
edited
Loading

Hi there,
I may have discovered a method in the newest version of com.hubspot:SingularityService.jar, which has XXE vulnerability. The vulnerability is located in the method com.mchange.v2.c3p0.cfg.C3P0ConfigXmlUtils.extractXmlConfigFromInputStream(InputStream is) . The vulnerability bears similarities to a recent CVE disclosure CVE-2018-20433 in the "zhutougg/c3p0" project.
The source vulnerability information is as follows:

Vulnerability Detail:

CVE Identifier: CVE-2018-20433

Description: c3p0 0.9.5.2 allows XXE in extractXmlConfigFromInputStream in com/mchange/v2/c3p0/cfg/C3P0ConfigXmlUtils.java during initialization.

Reference: https://nvd.nist.gov/vuln/detail/CVE-2018-20433

Patch: zhutougg/c3p0@2eb0ea9

Affected versions: <= 0.9.5.2

Maybe the c3p0 that the project depends on is a vulnerable version?
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@Crispy-fried-chicken