CVE-2026-27830

HIGH
中文标题:
(暂无数据)
英文标题:
c3p0 vulnerable to Remote Code Execution via unsafe deserialization of userOverridesAsString property
CVSS分数: 8.9
发布时间: 2026-02-26 00:45:18
漏洞类型: (暂无数据)
状态: PUBLISHED
数据质量分数: 0.40
数据版本: v2
漏洞描述
中文描述:

(暂无数据)

英文描述:

c3p0, a JDBC Connection pooling library, is vulnerable to attack via maliciously crafted Java-serialized objects and `javax.naming.Reference` instances. Several c3p0 `ConnectionPoolDataSource` implementations have a property called `userOverridesAsString` which conceptually represents a `Map<String,Map<String,String>>`. Prior to v0.12.0, that property was maintained as a hex-encoded serialized object. Any attacker able to reset this property, on an existing `ConnectionPoolDataSource` or via maliciously crafted serialized objects or `javax.naming.Reference` instances could be tailored execute unexpected code on the application's `CLASSPATH`. The danger of this vulnerability was strongly magnified by vulnerabilities in c3p0's main dependency, mchange-commons-java. This library includes code that mirrors early implementations of JNDI functionality, including ungated support for remote `factoryClassLocation` values. Attackers could set c3p0's `userOverridesAsString` hex-encoded serialized objects that include objects "indirectly serialized" via JNDI references. Deserialization of those objects and dereferencing of the embedded `javax.naming.Reference` objects could provoke download and execution of malicious code from a remote `factoryClassLocation`. Although hazard presented by c3p0's vulnerabilites are exarcerbated by vulnerabilities in mchange-commons-java, use of Java-serialized-object hex as the format for a writable Java-Bean property, of objects that may be exposed across JNDI interfaces, represents a serious independent fragility. The `userOverridesAsString` property of c3p0 `ConnectionPoolDataSource` classes has been reimplemented to use a safe CSV-based format, rather than rely upon potentially dangerous Java object deserialization. c3p0-0.12.0+ and above depend upon mchange-commons-java 0.4.0+, which gates support for remote `factoryClassLocation` values by configuration parameters that default to restrictive values. c3p0 additionally enforces the new mchange-commons-java `com.mchange.v2.naming.nameGuardClassName` to prevent injection of unexpected, potentially remote JNDI names. There is no supported workaround for versions of c3p0 prior to 0.12.0.

CWE类型:
CWE-94 CWE-502
标签:
(暂无数据)
受影响产品
厂商 产品 版本 版本范围 平台 CPE
swaldman c3p0 < 0.12.0 - - cpe:2.3:a:swaldman:c3p0:<_0.12.0:*:*:*:*:*:*:*
解决方案
中文解决方案:
(暂无数据)
英文解决方案:
(暂无数据)
临时解决方案:
(暂无数据)
参考链接
https://github.com/swaldman/c3p0/security/advisories/GHSA-5476-xc4j-rqcv x_refsource_CONFIRM
cve.org
访问
https://github.com/swaldman/c3p0/commit/e14cbd8166e423e2e9a9d6f08b2add3433492d6e x_refsource_MISC
cve.org
访问
https://mogwailabs.de/en/blog/2025/02/c3p0-you-little-rascal x_refsource_MISC
cve.org
访问
https://www.mchange.com/projects/c3p0/#configuring_security x_refsource_MISC
cve.org
访问
https://www.mchange.com/projects/c3p0/#security-note x_refsource_MISC
cve.org
访问
CVSS评分详情
4.0 (cna)
HIGH
8.9
CVSS向量: CVSS:4.0/AV:A/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
机密性
HIGH
完整性
HIGH
可用性
HIGH
后续系统影响 (Subsequent):
机密性
HIGH
完整性
HIGH
可用性
HIGH
时间信息
发布时间:
2026-02-26 00:45:18
修改时间:
2026-02-26 00:45:18
创建时间:
2026-02-26 06:00:01
更新时间:
2026-02-28 06:00:02
利用信息
暂无可利用代码信息
数据源详情
数据源 记录ID 版本 提取时间
CVE cve_CVE-2026-27830 2026-02-26 03:19:54 2026-02-25 22:00:01
NVD nvd_CVE-2026-27830 2026-02-27 02:00:05 2026-02-26 22:00:03
版本与语言
当前版本: v2
主要语言: EN
支持语言:
EN
安全公告
暂无安全公告信息
变更历史
v2 NVD
2026-02-27 06:00:03
data_sources: ['cve'] → ['cve', 'nvd']
查看详细变更
  • data_sources: ['cve'] -> ['cve', 'nvd']