9.8
CVE-2026-27727
- EPSS 0.81%
- Veröffentlicht 25.02.2026 16:01:04
- Zuletzt bearbeitet 02.07.2026 12:17:01
- Quelle security-advisories@github.com
- CVE-Watchlists
- Unerledigt
mchange-commons-java: Remote Code Execution via JNDI Reference Resolution
mchange-commons-java, a library that provides Java utilities, includes code that mirrors early implementations of JNDI functionality, including support for remote `factoryClassLocation` values, by which code can be downloaded and invoked within a running application. If an attacker can provoke an application to read a maliciously crafted `jaxax.naming.Reference` or serialized object, they can provoke the download and execution of malicious code. Implementations of this functionality within the JDK were disabled by default behind a System property that defaults to `false`, `com.sun.jndi.ldap.object.trustURLCodebase`. However, since mchange-commons-java includes an independent implementation of JNDI derefencing, libraries (such as c3p0) that resolve references via that implementation could be provoked to download and execute malicious code even after the JDK was hardened. Mirroring the JDK patch, mchange-commons-java's JNDI functionality is gated by configuration parameters that default to restrictive values starting in version 0.4.0. No known workarounds are available. Versions prior to 0.4.0 should be avoided on application CLASSPATHs.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Mchange ≫ Mchange Commons Java Version < 0.4.0
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.81% | 0.524 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 9.8 | 3.9 | 5.9 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
| security-advisories@github.com | 8.9 | 0 | 0 |
CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
|
| 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | 8.3 | 1.6 | 6 |
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
|
CWE-502 Deserialization of Untrusted Data
The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.
CWE-74 Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.
https://github.com/swaldman/mchange-commons-java/security/advisories/GHSA-m2cm-222f-qw44
https://mogwailabs.de/en/blog/2025/02/c3p0-you-little-rascal
https://www.mchange.com/projects/c3p0/#configuring_security
https://www.mchange.com/projects/c3p0/#security-note
https://access.redhat.com/errata/RHSA-2026:3890
https://access.redhat.com/errata/RHSA-2026:18059
https://access.redhat.com/errata/RHSA-2026:18054
https://access.redhat.com/errata/RHSA-2026:18055
https://access.redhat.com/errata/RHSA-2026:14873
https://access.redhat.com/errata/RHSA-2026:14874
https://access.redhat.com/errata/RHSA-2026:4285
https://access.redhat.com/security/cve/CVE-2026-27727
https://bugzilla.redhat.com/show_bug.cgi?id=2442671
https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-27727.json
https://access.redhat.com/errata/RHSA-2026:34365