CVE-2026-55223 (GCVE-0-2026-55223)

Vulnerability from cvelistv5 – Published: 2026-06-30 22:56 – Updated: 2026-07-01 13:38
VLAI
Title
c3p0 exposes a deserialization "sink" via JDBC DataSource bean properties
Summary
c3p0 is a JDBC Connection pooling library. In versions prior to 0.14.0, c3p0 in combination with other libraries, can compose to a "sink" for deserialization gadgets. The JDBC spec's DataSource.getConnection() and ConnectionPoolDataSource.getPooledConnection() match the getXXX() form, so JavaBean libraries treat them as "properties" assumed safe while they actually call into JDBC drivers. Attackers can thus craft malicious DataSource objects whose property lookups invoke vulnerable drivers, then smuggle them in serialized form to where an application deserializes and auto-resolves bean properties — triggering the attack. This requires a susceptible DataSource/ConnectionPoolDataSource and JDBC driver on the CLASSPATH, plus a carrier that auto-looks-up JavaBean properties on = deserialization, most commonly a collection paired with an Apache commons-beanutils Comparator that sorts by bean properties. c3p0 supplied that susceptible DataSource/ConnectionPoolDataSource, which was an essential component of the trigger. This issue has been fixed in version 0.14.0.
SSVC
Exploitation: none Automatable: yes Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-502 - Deserialization of Untrusted Data
  • CWE-915 - Improperly Controlled Modification of Dynamically-Determined Object Attributes
Assigner
References
Impacted products
Vendor Product Version
swaldman c3p0 Affected: < 0.14.0
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-55223",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-07-01T13:37:58.554398Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-07-01T13:38:12.928Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "c3p0",
          "vendor": "swaldman",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 0.14.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "c3p0 is a JDBC Connection pooling library. In versions prior to 0.14.0,  c3p0 in combination with other libraries, can compose to a \"sink\" for  deserialization gadgets. The JDBC spec\u0027s DataSource.getConnection() and  ConnectionPoolDataSource.getPooledConnection() match the getXXX() form, so JavaBean libraries treat them as \"properties\" assumed safe while they actually call into JDBC drivers. Attackers can thus craft malicious  DataSource objects whose property lookups invoke vulnerable drivers, then  smuggle them in serialized form to where an application deserializes and auto-resolves bean properties \u2014 triggering the attack. This requires a  susceptible DataSource/ConnectionPoolDataSource and JDBC driver on the  CLASSPATH, plus a carrier that auto-looks-up JavaBean properties on = deserialization, most commonly a collection paired with an Apache commons-beanutils Comparator that sorts by bean properties. c3p0 supplied that susceptible DataSource/ConnectionPoolDataSource, which was an  essential component of the trigger. This issue has been fixed in version 0.14.0."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "PRESENT",
            "attackVector": "NETWORK",
            "baseScore": 6.3,
            "baseSeverity": "MEDIUM",
            "privilegesRequired": "NONE",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "LOW",
            "vulnConfidentialityImpact": "LOW",
            "vulnIntegrityImpact": "LOW"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-502",
              "description": "CWE-502: Deserialization of Untrusted Data",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-915",
              "description": "CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-30T22:56:55.895Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/swaldman/c3p0/security/advisories/GHSA-w6w4-rjh9-9r58",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/swaldman/c3p0/security/advisories/GHSA-w6w4-rjh9-9r58"
        },
        {
          "name": "https://github.com/swaldman/c3p0/commit/7b022c4b6694dabc6204254dc917af9c38f2cb27",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/swaldman/c3p0/commit/7b022c4b6694dabc6204254dc917af9c38f2cb27"
        }
      ],
      "source": {
        "advisory": "GHSA-w6w4-rjh9-9r58",
        "discovery": "UNKNOWN"
      },
      "title": "c3p0 exposes a deserialization \"sink\" via JDBC DataSource bean properties"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-55223",
    "datePublished": "2026-06-30T22:56:55.895Z",
    "dateReserved": "2026-06-16T16:16:32.628Z",
    "dateUpdated": "2026-07-01T13:38:12.928Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2026-55223",
      "date": "2026-07-02",
      "epss": "0.00284",
      "percentile": "0.20164"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-55223\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-06-30T23:17:28.260\",\"lastModified\":\"2026-07-02T17:54:15.243\",\"vulnStatus\":\"Deferred\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"c3p0 is a JDBC Connection pooling library. In versions prior to 0.14.0,  c3p0 in combination with other libraries, can compose to a \\\"sink\\\" for  deserialization gadgets. The JDBC spec\u0027s DataSource.getConnection() and  ConnectionPoolDataSource.getPooledConnection() match the getXXX() form, so JavaBean libraries treat them as \\\"properties\\\" assumed safe while they actually call into JDBC drivers. Attackers can thus craft malicious  DataSource objects whose property lookups invoke vulnerable drivers, then  smuggle them in serialized form to where an application deserializes and auto-resolves bean properties \u2014 triggering the attack. This requires a  susceptible DataSource/ConnectionPoolDataSource and JDBC driver on the  CLASSPATH, plus a carrier that auto-looks-up JavaBean properties on = deserialization, most commonly a collection paired with an Apache commons-beanutils Comparator that sorts by bean properties. c3p0 supplied that susceptible DataSource/ConnectionPoolDataSource, which was an  essential component of the trigger. This issue has been fixed in version 0.14.0.\"}],\"affected\":[{\"source\":\"security-advisories@github.com\",\"affectedData\":[{\"vendor\":\"swaldman\",\"product\":\"c3p0\",\"versions\":[{\"version\":\"\u003c 0.14.0\",\"status\":\"affected\"}]}]}],\"metrics\":{\"cvssMetricV40\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"4.0\",\"vectorString\":\"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X\",\"baseScore\":6.3,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"attackRequirements\":\"PRESENT\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"vulnConfidentialityImpact\":\"LOW\",\"vulnIntegrityImpact\":\"LOW\",\"vulnAvailabilityImpact\":\"LOW\",\"subConfidentialityImpact\":\"NONE\",\"subIntegrityImpact\":\"NONE\",\"subAvailabilityImpact\":\"NONE\",\"exploitMaturity\":\"NOT_DEFINED\",\"confidentialityRequirement\":\"NOT_DEFINED\",\"integrityRequirement\":\"NOT_DEFINED\",\"availabilityRequirement\":\"NOT_DEFINED\",\"modifiedAttackVector\":\"NOT_DEFINED\",\"modifiedAttackComplexity\":\"NOT_DEFINED\",\"modifiedAttackRequirements\":\"NOT_DEFINED\",\"modifiedPrivilegesRequired\":\"NOT_DEFINED\",\"modifiedUserInteraction\":\"NOT_DEFINED\",\"modifiedVulnConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedVulnIntegrityImpact\":\"NOT_DEFINED\",\"modifiedVulnAvailabilityImpact\":\"NOT_DEFINED\",\"modifiedSubConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedSubIntegrityImpact\":\"NOT_DEFINED\",\"modifiedSubAvailabilityImpact\":\"NOT_DEFINED\",\"Safety\":\"NOT_DEFINED\",\"Automatable\":\"NOT_DEFINED\",\"Recovery\":\"NOT_DEFINED\",\"valueDensity\":\"NOT_DEFINED\",\"vulnerabilityResponseEffort\":\"NOT_DEFINED\",\"providerUrgency\":\"NOT_DEFINED\"}}],\"ssvcV203\":[{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"ssvcData\":{\"timestamp\":\"2026-07-01T13:37:58.554398Z\",\"id\":\"CVE-2026-55223\",\"options\":[{\"exploitation\":\"none\"},{\"automatable\":\"yes\"},{\"technicalImpact\":\"partial\"}],\"role\":\"CISA Coordinator\",\"version\":\"2.0.3\"}}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-502\"},{\"lang\":\"en\",\"value\":\"CWE-915\"}]}],\"references\":[{\"url\":\"https://github.com/swaldman/c3p0/commit/7b022c4b6694dabc6204254dc917af9c38f2cb27\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/swaldman/c3p0/security/advisories/GHSA-w6w4-rjh9-9r58\",\"source\":\"security-advisories@github.com\"}]}}",
    "vulnrichment": {
      "containers": "{\"cna\": {\"title\": \"c3p0 exposes a deserialization \\\"sink\\\" via JDBC DataSource bean properties\", \"problemTypes\": [{\"descriptions\": [{\"cweId\": \"CWE-502\", \"lang\": \"en\", \"description\": \"CWE-502: Deserialization of Untrusted Data\", \"type\": \"CWE\"}]}, {\"descriptions\": [{\"cweId\": \"CWE-915\", \"lang\": \"en\", \"description\": \"CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes\", \"type\": \"CWE\"}]}], \"metrics\": [{\"cvssV4_0\": {\"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"attackRequirements\": \"PRESENT\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"vulnConfidentialityImpact\": \"LOW\", \"vulnIntegrityImpact\": \"LOW\", \"vulnAvailabilityImpact\": \"LOW\", \"subConfidentialityImpact\": \"NONE\", \"subIntegrityImpact\": \"NONE\", \"subAvailabilityImpact\": \"NONE\", \"baseScore\": 6.3, \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N\", \"version\": \"4.0\"}}], \"references\": [{\"name\": \"https://github.com/swaldman/c3p0/security/advisories/GHSA-w6w4-rjh9-9r58\", \"tags\": [\"x_refsource_CONFIRM\"], \"url\": \"https://github.com/swaldman/c3p0/security/advisories/GHSA-w6w4-rjh9-9r58\"}, {\"name\": \"https://github.com/swaldman/c3p0/commit/7b022c4b6694dabc6204254dc917af9c38f2cb27\", \"tags\": [\"x_refsource_MISC\"], \"url\": \"https://github.com/swaldman/c3p0/commit/7b022c4b6694dabc6204254dc917af9c38f2cb27\"}], \"affected\": [{\"vendor\": \"swaldman\", \"product\": \"c3p0\", \"versions\": [{\"version\": \"\u003c 0.14.0\", \"status\": \"affected\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-06-30T22:56:55.895Z\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"c3p0 is a JDBC Connection pooling library. In versions prior to 0.14.0,  c3p0 in combination with other libraries, can compose to a \\\"sink\\\" for  deserialization gadgets. The JDBC spec\u0027s DataSource.getConnection() and  ConnectionPoolDataSource.getPooledConnection() match the getXXX() form, so JavaBean libraries treat them as \\\"properties\\\" assumed safe while they actually call into JDBC drivers. Attackers can thus craft malicious  DataSource objects whose property lookups invoke vulnerable drivers, then  smuggle them in serialized form to where an application deserializes and auto-resolves bean properties \\u2014 triggering the attack. This requires a  susceptible DataSource/ConnectionPoolDataSource and JDBC driver on the  CLASSPATH, plus a carrier that auto-looks-up JavaBean properties on = deserialization, most commonly a collection paired with an Apache commons-beanutils Comparator that sorts by bean properties. c3p0 supplied that susceptible DataSource/ConnectionPoolDataSource, which was an  essential component of the trigger. This issue has been fixed in version 0.14.0.\"}], \"source\": {\"advisory\": \"GHSA-w6w4-rjh9-9r58\", \"discovery\": \"UNKNOWN\"}}, \"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-55223\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-07-01T13:37:58.554398Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-07-01T13:38:03.964Z\"}}]}",
      "cveMetadata": "{\"cveId\": \"CVE-2026-55223\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"state\": \"PUBLISHED\", \"assignerShortName\": \"GitHub_M\", \"dateReserved\": \"2026-06-16T16:16:32.628Z\", \"datePublished\": \"2026-06-30T22:56:55.895Z\", \"dateUpdated\": \"2026-07-01T13:38:12.928Z\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Loading…

Detection rules are retrieved from Rulezet.

Loading…

Loading…