Impact
c3p0, a JDBC Connection pooling library, contained a flaw before version 0.14.0 in which JavaBean library handling of DataSource and ConnectionPoolDataSource properties treated seemingly innocuous properties as safe. Attackers can craft a malicious DataSource whose property resolution triggers vulnerable JDBC driver code when an application deserializes the object and automatically resolves bean properties. This mechanism enables arbitrary code execution, compromising confidentiality, integrity, and availability of the affected system.
Affected Systems
The vulnerability exists in the swaldman:c3p0 library for all releases older than 0.14.0. Any application that includes c3p0 and relies on standard Java serialization of objects that contain DataSource or ConnectionPoolDataSource types is potentially affected. The attacker must also have a vulnerable JDBC driver on the classpath and a deserialization framework that auto‑looks up JavaBean properties, such as Apache Commons BeanUtils used in a Comparator that sorts by bean properties.
Risk and Exploitability
This weakness carries a CVSS score of 6.3, indicating moderate severity. No EPSS score is available, and the vulnerability is not listed in the CISA KEV catalog. The attack requires an application that deserializes data and automatically resolves JavaBean properties, a compatible JDBC driver on the classpath, and the presence of c3p0 as a data source provider. Typical attack paths involve delivering a crafted serialized payload to an application that uses Apache Commons BeanUtils or similar libraries, which then triggers the vulnerable driver through the deserialization sink.
OpenCVE Enrichment