CVE-2026-27727 SUSE CVE security@suse.de SUSE Security Team SUSE CVE-2026-27727 Interim 1 1 2026-03-05T00:15:01Z current 2026-03-05T00:15:01Z 2026-03-05T00:15:01Z cve-database/bin/generate-cvrf-cve.pl 2020-12-27T01:00:00Z CVE-2026-27727 mchange-commons-java, a library that provides Java utilities, includes code that mirrors early implementations of JNDI functionality, including support for remote `factoryClassLocation` values, by which code can be downloaded and invoked within a running application. If an attacker can provoke an application to read a maliciously crafted `jaxax.naming.Reference` or serialized object, they can provoke the download and execution of malicious code. Implementations of this functionality within the JDK were disabled by default behind a System property that defaults to `false`, `com.sun.jndi.ldap.object.trustURLCodebase`. However, since mchange-commons-java includes an independent implementation of JNDI derefencing, libraries (such as c3p0) that resolve references via that implementation could be provoked to download and execute malicious code even after the JDK was hardened. Mirroring the JDK patch, mchange-commons-java's JNDI functionality is gated by configuration parameters that default to restrictive values starting in version 0.4.0. No known workarounds are available. Versions prior to 0.4.0 should be avoided on application CLASSPATHs. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). https://www.suse.com/support/security/rating/ SUSE Security Ratings openSUSE Leap 15.6 openSUSE Tumbleweed c3p0 c3p0-0.12.0-1.1 c3p0-javadoc c3p0-javadoc-0.12.0-1.1 mchange-commons mchange-commons-0.4.0-1.1 mchange-commons-javadoc mchange-commons-javadoc-0.4.0-1.1 c3p0-0.12.0-1.1 as a component of openSUSE Tumbleweed c3p0-javadoc-0.12.0-1.1 as a component of openSUSE Tumbleweed mchange-commons-0.4.0-1.1 as a component of openSUSE Tumbleweed mchange-commons-javadoc-0.4.0-1.1 as a component of openSUSE Tumbleweed c3p0 as a component of openSUSE Leap 15.6 c3p0-javadoc as a component of openSUSE Leap 15.6 mchange-commons as a component of openSUSE Leap 15.6 mchange-commons-javadoc as a component of openSUSE Leap 15.6 mchange-commons-java, a library that provides Java utilities, includes code that mirrors early implementations of JNDI functionality, including support for remote `factoryClassLocation` values, by which code can be downloaded and invoked within a running application. If an attacker can provoke an application to read a maliciously crafted `jaxax.naming.Reference` or serialized object, they can provoke the download and execution of malicious code. Implementations of this functionality within the JDK were disabled by default behind a System property that defaults to `false`, `com.sun.jndi.ldap.object.trustURLCodebase`. However, since mchange-commons-java includes an independent implementation of JNDI derefencing, libraries (such as c3p0) that resolve references via that implementation could be provoked to download and execute malicious code even after the JDK was hardened. Mirroring the JDK patch, mchange-commons-java's JNDI functionality is gated by configuration parameters that default to restrictive values starting in version 0.4.0. No known workarounds are available. Versions prior to 0.4.0 should be avoided on application CLASSPATHs. CVE-2026-27727 openSUSE Tumbleweed:c3p0-0.12.0-1.1 openSUSE Tumbleweed:c3p0-javadoc-0.12.0-1.1 openSUSE Tumbleweed:mchange-commons-0.4.0-1.1 openSUSE Tumbleweed:mchange-commons-javadoc-0.4.0-1.1 critical 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H