OESA-2026-1691

See a problem?
Please try reporting it to the source first.

Source

https://www.openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2026-1691

Import Source

https://repo.openeuler.org/security/data/osv/OESA-2026-1691.json

JSON Data

https://api.test.osv.dev/v1/vulns/OESA-2026-1691

Upstream

CVE-2026-27830

Published

2026-03-20T14:25:37Z

Modified

2026-03-20T14:32:03.365850Z

Summary

c3p0 security update

Details

c3p0 is a JDBC driver for extending traditional libraries (DriverManager-based libraries) with JNDI bindable data sources (including data sources), as described in the jdbc3 specification and jdbc2 standard extensions. They implement connections and statement pools.

Security Fix(es):

c3p0 is a JDBC connection pooling library. Prior to version 0.12.0, several ConnectionPoolDataSource implementations had a property called userOverridesAsString, which conceptually represents a Map<String,Map<String,String>> but was maintained as a hex-encoded Java serialized object. An attacker able to reset this property on an existing ConnectionPoolDataSource, or via maliciously crafted Java-serialized objects and javax.naming.Reference instances, could trigger deserialization. Combined with vulnerabilities in its main dependency, mchange-commons-java, which includes code mirroring early JNDI implementations with ungated support for remote factoryClassLocation values, attackers could set c3p0's userOverridesAsString to hex-encoded serialized objects that include objects "indirectly serialized" via JNDI references. Deserialization of those objects and dereferencing of the embedded javax.naming.Reference objects could provoke the download and execution of malicious code from a remote factoryClassLocation, leading to arbitrary code execution on the application's CLASSPATH.(CVE-2026-27830)

Database specific

{
    "severity": "High"
}

References

Affected packages

openEuler:20.03-LTS-SP4

c3p0

Package

Name: c3p0
Purl: pkg:rpm/openEuler/c3p0&distro=openEuler-20.03-LTS-SP4

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

0.9.5.4-4.oe2003sp4

Ecosystem specific

{
    "noarch": [
        "c3p0-0.9.5.4-4.oe2003sp4.noarch.rpm",
        "c3p0-help-0.9.5.4-4.oe2003sp4.noarch.rpm"
    ],
    "src": [
        "c3p0-0.9.5.4-4.oe2003sp4.src.rpm"
    ]
}

Database specific

source

"https://repo.openeuler.org/security/data/osv/OESA-2026-1691.json"

openEuler:22.03-LTS-SP4

c3p0

Package

Name: c3p0
Purl: pkg:rpm/openEuler/c3p0&distro=openEuler-22.03-LTS-SP4

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

0.9.5.4-4.oe2203sp4

Ecosystem specific

{
    "noarch": [
        "c3p0-0.9.5.4-4.oe2203sp4.noarch.rpm",
        "c3p0-help-0.9.5.4-4.oe2203sp4.noarch.rpm"
    ],
    "src": [
        "c3p0-0.9.5.4-4.oe2203sp4.src.rpm"
    ]
}

Database specific

source

"https://repo.openeuler.org/security/data/osv/OESA-2026-1691.json"

openEuler:24.03-LTS

c3p0

Package

Name: c3p0
Purl: pkg:rpm/openEuler/c3p0&distro=openEuler-24.03-LTS

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

0.9.5.4-4.oe2403

Ecosystem specific

{
    "noarch": [
        "c3p0-0.9.5.4-4.oe2403sp1.noarch.rpm",
        "c3p0-help-0.9.5.4-4.oe2403sp1.noarch.rpm",
        "c3p0-0.9.5.4-4.oe2403sp2.noarch.rpm",
        "c3p0-help-0.9.5.4-4.oe2403sp2.noarch.rpm",
        "c3p0-0.9.5.4-4.oe2403sp3.noarch.rpm",
        "c3p0-help-0.9.5.4-4.oe2403sp3.noarch.rpm",
        "c3p0-0.9.5.4-4.oe2403.noarch.rpm",
        "c3p0-help-0.9.5.4-4.oe2403.noarch.rpm"
    ],
    "src": [
        "c3p0-0.9.5.4-4.oe2403sp1.src.rpm",
        "c3p0-0.9.5.4-4.oe2403sp2.src.rpm",
        "c3p0-0.9.5.4-4.oe2403sp3.src.rpm",
        "c3p0-0.9.5.4-4.oe2403.src.rpm"
    ]
}

Database specific

source

"https://repo.openeuler.org/security/data/osv/OESA-2026-1691.json"

openEuler:24.03-LTS-SP1

c3p0

Package

Name: c3p0
Purl: pkg:rpm/openEuler/c3p0&distro=openEuler-24.03-LTS-SP1

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

0.9.5.4-4.oe2403sp1

Ecosystem specific

{
    "noarch": [
        "c3p0-0.9.5.4-4.oe2403sp1.noarch.rpm",
        "c3p0-help-0.9.5.4-4.oe2403sp1.noarch.rpm"
    ],
    "src": [
        "c3p0-0.9.5.4-4.oe2403sp1.src.rpm"
    ]
}

Database specific

source

"https://repo.openeuler.org/security/data/osv/OESA-2026-1691.json"

openEuler:24.03-LTS-SP2

c3p0

Package

Name: c3p0
Purl: pkg:rpm/openEuler/c3p0&distro=openEuler-24.03-LTS-SP2

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

0.9.5.4-4.oe2403sp2

Ecosystem specific

{
    "noarch": [
        "c3p0-0.9.5.4-4.oe2403sp2.noarch.rpm",
        "c3p0-help-0.9.5.4-4.oe2403sp2.noarch.rpm"
    ],
    "src": [
        "c3p0-0.9.5.4-4.oe2403sp2.src.rpm"
    ]
}

Database specific

source

"https://repo.openeuler.org/security/data/osv/OESA-2026-1691.json"

openEuler:24.03-LTS-SP3

c3p0

Package

Name: c3p0
Purl: pkg:rpm/openEuler/c3p0&distro=openEuler-24.03-LTS-SP3

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

0.9.5.4-4.oe2403sp3

Ecosystem specific

{
    "noarch": [
        "c3p0-0.9.5.4-4.oe2403sp3.noarch.rpm",
        "c3p0-help-0.9.5.4-4.oe2403sp3.noarch.rpm"
    ],
    "src": [
        "c3p0-0.9.5.4-4.oe2403sp3.src.rpm"
    ]
}

Database specific

source

"https://repo.openeuler.org/security/data/osv/OESA-2026-1691.json"