Security Vulnerability - Action Required: XXE vulnerability in the newest version of the jar com.hubspot:SingularityService.jar

Hi there,
    I may have discovered a method in the newest version of com.hubspot:SingularityService.jar, which has XXE vulnerability. The vulnerability is located in the method `com.mchange.v2.c3p0.cfg.C3P0ConfigXmlUtils.extractXmlConfigFromInputStream(InputStream is)` . The vulnerability bears similarities to a recent CVE disclosure *CVE-2018-20433* in the *"zhutougg/c3p0"* project. 
The source vulnerability information is as follows:
> ​**Vulnerability Detail:**
>
> ​**CVE Identifier:** CVE-2018-20433
>
>  **Description**: c3p0 0.9.5.2 allows XXE in extractXmlConfigFromInputStream in com/mchange/v2/c3p0/cfg/C3P0ConfigXmlUtils.java during initialization.
>
> ​**Reference:** https://nvd.nist.gov/vuln/detail/CVE-2018-20433
>
> ​**Patch**: https://github.com/zhutougg/c3p0/commit/2eb0ea97f745740b18dd45e4a909112d4685f87b
>
> ​**Affected versions**: <= 0.9.5.2

Maybe the c3p0 that the project depends on is a vulnerable version？


Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Security Vulnerability - Action Required: XXE vulnerability in the newest version of the jar com.hubspot:SingularityService.jar #2311

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Security Vulnerability - Action Required: XXE vulnerability in the newest version of the jar com.hubspot:SingularityService.jar #2311

Description

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions