Hi there,
I think the method
com.mchange.v2.c3p0.cfg.C3P0ConfigXmlUtils.extractXmlConfigFromInputStream(InputStream
is) may have an XXE vulnerability which is vulnerable in the
org.apache.kylin:kylin-job before version 0.7.2-incubating-job. It shares
similarities to a recent CVE disclosure CVE-2018-20433 in the
"swaldman/c3p0" project.
The source vulnerability information is as follows:
> Vulnerability Detail:
> CVE Identifier: CVE-2018-20433
> c3p0 0.9.5.2 allows XXE in extractXmlConfigFromInputStream in
> com/mchange/v2/c3p0/cfg/C3P0ConfigXmlUtils.java during initialization.
> Reference:https://nvd.nist.gov/vuln/detail/CVE-2018-20433
> Patch: zhutougg/c3p0@2eb0ea9
> <https://github.com/zhutougg/c3p0/commit/2eb0ea97f745740b18dd45e4a909112d4685f87b>
This may be caused by the fact that the version of c3p0, the component you
rely on, has not been updated. Maybe I can submit a PR to help you update
the version? Looking forward to your reply.
Best regards,
Yiheng Cao
