openSUSE 15 Security Update : c3p0 and mchange-commons (SUSE-SU-2026:0855-1)

The remote openSUSE 15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2026:0855-1 advisory. c3p0: - Security issues fixed: - CVE-2026-27830: Fixed unsafe object deserialization bsc1258942 - Fix the null pointer exception in the...

CVE-2026-27830

A flaw was found in c3p0, a Java Database Connectivity JDBC Connection pooling library. This vulnerability allows an attacker to achieve arbitrary code execution by providing maliciously crafted Java-serialized objects or javax.naming.Reference instances. By manipulating the userOverridesAsString...

CVE-2026-27830

c3p0, a JDBC Connection pooling library, is vulnerable to attack via maliciously crafted Java-serialized objects and javax.naming.Reference instances. Several c3p0 ConnectionPoolDataSource implementations have a property called userOverridesAsString which conceptually represents a Map. Prior to...

GHSA-M2CM-222F-QW44 mchange-commons-java: Remote Code Execution via JNDI Reference Resolution

Impact mchange-commons-java includes code that mirrors early implementations of JNDI functionality, including support for remote factoryClassLocation values, by which code can be downloaded and invoked within a running application. If an attacker can provoke an application to read a maliciously...