Hi, The 0.7.2-incubating is released 8 years ago, the current maintained version are Kylin 3.0+, and C3P0ConfigXmlUtils is not a maintained version. So I think it affected nobody,
-- Best wishes to you ! From :Xiaoxiang Yu At 2023-09-21 16:54:17, "James Watt" <crispy.james.w...@gmail.com> wrote: >Hi there, > I think the method >com.mchange.v2.c3p0.cfg.C3P0ConfigXmlUtils.extractXmlConfigFromInputStream(InputStream >is) may have an XXE vulnerability which is vulnerable in the >org.apache.kylin:kylin-job before version 0.7.2-incubating-job. It shares >similarities to a recent CVE disclosure CVE-2018-20433 in the >"swaldman/c3p0" project. > The source vulnerability information is as follows: > >> Vulnerability Detail: >> CVE Identifier: CVE-2018-20433 >> c3p0 0.9.5.2 allows XXE in extractXmlConfigFromInputStream in >> com/mchange/v2/c3p0/cfg/C3P0ConfigXmlUtils.java during initialization. >> Reference:https://nvd.nist.gov/vuln/detail/CVE-2018-20433 >> Patch: zhutougg/c3p0@2eb0ea9 >> <https://github.com/zhutougg/c3p0/commit/2eb0ea97f745740b18dd45e4a909112d4685f87b> > > >This may be caused by the fact that the version of c3p0, the component you >rely on, has not been updated. Maybe I can submit a PR to help you update >the version? Looking forward to your reply. > >Best regards, >Yiheng Cao