Hi,
The 0.7.2-incubating is released 8 years ago, the current maintained
version are Kylin 3.0+,
and C3P0ConfigXmlUtils is not a maintained version. So I think it affected
nobody,
--
Best wishes to you !
From :Xiaoxiang Yu
At 2023-09-21 16:54:17, "James Watt" <crispy.james.w...@gmail.com> wrote:
>Hi there,
> I think the method
>com.mchange.v2.c3p0.cfg.C3P0ConfigXmlUtils.extractXmlConfigFromInputStream(InputStream
>is) may have an XXE vulnerability which is vulnerable in the
>org.apache.kylin:kylin-job before version 0.7.2-incubating-job. It shares
>similarities to a recent CVE disclosure CVE-2018-20433 in the
>"swaldman/c3p0" project.
> The source vulnerability information is as follows:
>
>> Vulnerability Detail:
>> CVE Identifier: CVE-2018-20433
>> c3p0 0.9.5.2 allows XXE in extractXmlConfigFromInputStream in
>> com/mchange/v2/c3p0/cfg/C3P0ConfigXmlUtils.java during initialization.
>> Reference:https://nvd.nist.gov/vuln/detail/CVE-2018-20433
>> Patch: zhutougg/c3p0@2eb0ea9
>> <https://github.com/zhutougg/c3p0/commit/2eb0ea97f745740b18dd45e4a909112d4685f87b>
>
>
>This may be caused by the fact that the version of c3p0, the component you
>rely on, has not been updated. Maybe I can submit a PR to help you update
>the version? Looking forward to your reply.
>
>Best regards,
>Yiheng Cao
