c3p0 is vulnerable to XML entity expansion (XEE). Missing protections against recursive entity expansion when loading configuration allows remote attackers to exploit the billion laughs attack by loading malicious XML configurations.
hackerone.com/reports/509315
lists.fedoraproject.org/archives/list/[email protected]/message/BFIVX6HOVNLAM7W3SUAMHYRNLCVQSAWR/
lists.fedoraproject.org/archives/list/[email protected]/message/MQ47OFV57Y2DAHMGA5H3JOL4WHRWRFN4/
www.oracle.com/security-alerts/cpuapr2020.html
www.oracle.com/security-alerts/cpujan2021.html
www.oracle.com/security-alerts/cpujul2020.html
www.oracle.com/security-alerts/cpuoct2020.html
www.oracle.com/security-alerts/cpuoct2021.html