Singularity icon indicating copy to clipboard operation
Singularity copied to clipboard
verified publisher icon HubSpot

Security Vulnerability - Action Required: XXE vulnerability in the newest version of the jar com.hubspot:SingularityService.jar

Open Crispy-fried-chicken opened this issue 2 years ago • 0 comments

Hi there, I may have discovered a method in the newest version of com.hubspot:SingularityService.jar, which has XXE vulnerability. The vulnerability is located in the method com.mchange.v2.c3p0.cfg.C3P0ConfigXmlUtils.extractXmlConfigFromInputStream(InputStream is) . The vulnerability bears similarities to a recent CVE disclosure CVE-2018-20433 in the "zhutougg/c3p0" project. The source vulnerability information is as follows:

Vulnerability Detail:

CVE Identifier: CVE-2018-20433

Description: c3p0 0.9.5.2 allows XXE in extractXmlConfigFromInputStream in com/mchange/v2/c3p0/cfg/C3P0ConfigXmlUtils.java during initialization.

Reference: https://nvd.nist.gov/vuln/detail/CVE-2018-20433

Patch: https://github.com/zhutougg/c3p0/commit/2eb0ea97f745740b18dd45e4a909112d4685f87b

Affected versions: <= 0.9.5.2

Maybe the c3p0 that the project depends on is a vulnerable version?

Crispy-fried-chicken avatar Aug 23 '23 07:08 Crispy-fried-chicken