swaldman mchange-commons-java up to 0.3.x injection

Summaryinfo

A vulnerability classified as problematic has been found in swaldman mchange-commons-java up to 0.3.x. This vulnerability affects unknown code. The manipulation leads to injection. This vulnerability is documented as CVE-2026-27727. The attack can be initiated remotely. There is not any exploit available. It is recommended to upgrade the affected component.

Detailsinfo

A vulnerability was found in swaldman mchange-commons-java up to 0.3.x and classified as problematic. This issue affects some unknown processing. The manipulation with an unknown input leads to a injection vulnerability. Using CWE to declare the problem leads to CWE-74. The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component. Impacted is confidentiality, integrity, and availability. The summary by CVE is:

mchange-commons-java, a library that provides Java utilities, includes code that mirrors early implementations of JNDI functionality, including support for remote `factoryClassLocation` values, by which code can be downloaded and invoked within a running application. If an attacker can provoke an application to read a maliciously crafted `jaxax.naming.Reference` or serialized object, they can provoke the download and execution of malicious code. Implementations of this functionality within the JDK were disabled by default behind a System property that defaults to `false`, `com.sun.jndi.ldap.object.trustURLCodebase`. However, since mchange-commons-java includes an independent implementation of JNDI derefencing, libraries (such as c3p0) that resolve references via that implementation could be provoked to download and execute malicious code even after the JDK was hardened. Mirroring the JDK patch, mchange-commons-java's JNDI functionality is gated by configuration parameters that default to restrictive values starting in version 0.4.0. No known workarounds are available. Versions prior to 0.4.0 should be avoided on application CLASSPATHs.

The advisory is shared at github.com. The identification of this vulnerability is CVE-2026-27727 since 02/23/2026. The exploitation is known to be easy. The attack may be initiated remotely. The exploitation needs additional levels of successful authentication. Neither technical details nor an exploit are publicly available. MITRE ATT&CK project uses the attack technique T1055 for this issue.

The vulnerability scanner Nessus provides a plugin with the ID 301811 (openSUSE 15 Security Update : c3p0 and mchange-commons (SUSE-SU-2026:0855-1)), which helps to determine the existence of the flaw in a target environment.

Upgrading to version 0.4.0 eliminates this vulnerability.

The vulnerability is also documented in the databases at Tenable (301811) and CERT Bund (WID-SEC-2026-0694). Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Affected

• Red Hat Enterprise Linux

Productinfo

Type

• Programming Language Software

Vendor

• swaldman

Name

• mchange-commons-java

Version

• 0.1
• 0.2
• 0.3

Website

• Product: https://github.com/swaldman/mchange-commons-java/

CPE 2.3info

• 🔒
• 🔒
• 🔒

CPE 2.2info

• 🔒
• 🔒
• 🔒

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Discussion