An update for c3p0 is now available for openEuler-24.03-LTS-SP1,openEuler-24.03-LTS-SP2,openEuler-24.03-LTS-SP3,openEuler-20.03-LTS-SP4,openEuler-22.03-LTS-SP4,openEuler-24.03-LTS Security Advisory openeuler-security@openeuler.org openEuler security committee openEuler-SA-2026-1691 Final 1.0 1.0 2026-03-20 Initial 2026-03-20 2026-03-20 openEuler SA Tool V1.0 2026-03-20 c3p0 security update An update for c3p0 is now available for openEuler-24.03-LTS-SP1,openEuler-24.03-LTS-SP2,openEuler-24.03-LTS-SP3,openEuler-20.03-LTS-SP4,openEuler-22.03-LTS-SP4,openEuler-24.03-LTS c3p0 is a JDBC driver for extending traditional libraries (DriverManager-based libraries) with JNDI bindable data sources (including data sources), as described in the jdbc3 specification and jdbc2 standard extensions. They implement connections and statement pools. Security Fix(es): c3p0 is a JDBC connection pooling library. Prior to version 0.12.0, several `ConnectionPoolDataSource` implementations had a property called `userOverridesAsString`, which conceptually represents a `Map<String,Map<String,String>>` but was maintained as a hex-encoded Java serialized object. An attacker able to reset this property on an existing `ConnectionPoolDataSource`, or via maliciously crafted Java-serialized objects and `javax.naming.Reference` instances, could trigger deserialization. Combined with vulnerabilities in its main dependency, mchange-commons-java, which includes code mirroring early JNDI implementations with ungated support for remote `factoryClassLocation` values, attackers could set c3p0's `userOverridesAsString` to hex-encoded serialized objects that include objects "indirectly serialized" via JNDI references. Deserialization of those objects and dereferencing of the embedded `javax.naming.Reference` objects could provoke the download and execution of malicious code from a remote `factoryClassLocation`, leading to arbitrary code execution on the application's `CLASSPATH`.(CVE-2026-27830) An update for c3p0 is now available for master/openEuler-24.03-LTS-SP1,openEuler-24.03-LTS-SP2,openEuler-24.03-LTS-SP3,openEuler-20.03-LTS-SP4,openEuler-22.03-LTS-SP4,openEuler-24.03-LTS. openEuler Security has rated this update as having a security impact of high. A Common Vunlnerability Scoring System(CVSS)base score,which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section. High c3p0 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-1691 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2026-27830 https://nvd.nist.gov/vuln/detail/CVE-2026-27830 openEuler-24.03-LTS-SP1 openEuler-24.03-LTS-SP2 openEuler-24.03-LTS-SP3 openEuler-20.03-LTS-SP4 openEuler-22.03-LTS-SP4 openEuler-24.03-LTS c3p0-0.9.5.4-4.oe2403sp1.noarch.rpm c3p0-help-0.9.5.4-4.oe2403sp1.noarch.rpm c3p0-0.9.5.4-4.oe2403sp2.noarch.rpm c3p0-help-0.9.5.4-4.oe2403sp2.noarch.rpm c3p0-0.9.5.4-4.oe2403sp3.noarch.rpm c3p0-help-0.9.5.4-4.oe2403sp3.noarch.rpm c3p0-0.9.5.4-4.oe2003sp4.noarch.rpm c3p0-help-0.9.5.4-4.oe2003sp4.noarch.rpm c3p0-0.9.5.4-4.oe2203sp4.noarch.rpm c3p0-help-0.9.5.4-4.oe2203sp4.noarch.rpm c3p0-0.9.5.4-4.oe2403.noarch.rpm c3p0-help-0.9.5.4-4.oe2403.noarch.rpm c3p0-0.9.5.4-4.oe2403sp1.src.rpm c3p0-0.9.5.4-4.oe2403sp2.src.rpm c3p0-0.9.5.4-4.oe2403sp3.src.rpm c3p0-0.9.5.4-4.oe2003sp4.src.rpm c3p0-0.9.5.4-4.oe2203sp4.src.rpm c3p0-0.9.5.4-4.oe2403.src.rpm c3p0 is a JDBC connection pooling library. Prior to version 0.12.0, several `ConnectionPoolDataSource` implementations had a property called `userOverridesAsString`, which conceptually represents a `Map<String,Map<String,String>>` but was maintained as a hex-encoded Java serialized object. An attacker able to reset this property on an existing `ConnectionPoolDataSource`, or via maliciously crafted Java-serialized objects and `javax.naming.Reference` instances, could trigger deserialization. Combined with vulnerabilities in its main dependency, mchange-commons-java, which includes code mirroring early JNDI implementations with ungated support for remote `factoryClassLocation` values, attackers could set c3p0's `userOverridesAsString` to hex-encoded serialized objects that include objects "indirectly serialized" via JNDI references. Deserialization of those objects and dereferencing of the embedded `javax.naming.Reference` objects could provoke the download and execution of malicious code from a remote `factoryClassLocation`, leading to arbitrary code execution on the application's `CLASSPATH`. 2026-03-20 CVE-2026-27830 openEuler-24.03-LTS-SP1 openEuler-24.03-LTS-SP2 openEuler-24.03-LTS-SP3 openEuler-20.03-LTS-SP4 openEuler-22.03-LTS-SP4 openEuler-24.03-LTS High 8.9 AV:A/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X c3p0 security update 2026-03-20 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-1691