Mchange Commons Java
Monthly
Insecure JNDI object instantiation in mchange-commons-java before 0.6.0 lets attackers who can influence deserialized data or JNDI Reference resolution coerce the library's JavaBeanObjectFactory into constructing arbitrary classes and setting their JavaBean properties, enabling JNDI injection and deserialization-gadget attacks. Because this library underpins mchange projects such as the c3p0 connection pool, any Java application that deserializes attacker-controlled objects or dereferences untrusted JNDI References through it is exposed; a demonstrated path abuses a Swing JEditorPane to force outbound HTTP requests from a trusted security domain. No public exploit identified at time of analysis and it is not in CISA KEV, so treat it as a patch-now supply-chain issue rather than an actively exploited one.
Remote code execution in mchange-commons-java prior to 0.4.0 allows an attacker to download and run arbitrary Java code by forcing an application to dereference a malicious javax.naming.Reference or serialized object that specifies a remote factoryClassLocation. The library ships its own legacy JNDI dereferencing implementation, so applications using it (notably the c3p0 connection pool) remain exploitable even on JDKs hardened with com.sun.jndi.ldap.object.trustURLCodebase=false. Publicly available exploit code exists (Mogwai Labs c3p0 research), though EPSS is low (0.10%, 27th percentile) and the issue is not listed in CISA KEV.
Insecure JNDI object instantiation in mchange-commons-java before 0.6.0 lets attackers who can influence deserialized data or JNDI Reference resolution coerce the library's JavaBeanObjectFactory into constructing arbitrary classes and setting their JavaBean properties, enabling JNDI injection and deserialization-gadget attacks. Because this library underpins mchange projects such as the c3p0 connection pool, any Java application that deserializes attacker-controlled objects or dereferences untrusted JNDI References through it is exposed; a demonstrated path abuses a Swing JEditorPane to force outbound HTTP requests from a trusted security domain. No public exploit identified at time of analysis and it is not in CISA KEV, so treat it as a patch-now supply-chain issue rather than an actively exploited one.
Remote code execution in mchange-commons-java prior to 0.4.0 allows an attacker to download and run arbitrary Java code by forcing an application to dereference a malicious javax.naming.Reference or serialized object that specifies a remote factoryClassLocation. The library ships its own legacy JNDI dereferencing implementation, so applications using it (notably the c3p0 connection pool) remain exploitable even on JDKs hardened with com.sun.jndi.ldap.object.trustURLCodebase=false. Publicly available exploit code exists (Mogwai Labs c3p0 research), though EPSS is low (0.10%, 27th percentile) and the issue is not listed in CISA KEV.