Main Vulnerability Database Vulnerabilities #VU69302

Exposed dangerous method or function in HyperSQL database - CVE-2022-41853

Published: November 14, 2022 / Updated: December 6, 2023

Vulnerability identifier: #VU69302

CSH Severity: High

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/U:Amber

CVE-ID: CVE-2022-41853

CWE-ID: CWE-749

Exploitation vector: Remote access

Exploit availability: Public exploit is available

Vendor: HSQLDB

Affected software:
HyperSQL database

Detailed vulnerability description

The vulnerability allows a remote attacker to compromise the affected system.

The vulnerability exists due to missing authorization when using java.sql.Statement or java.sql.PreparedStatement in hsqldb. By default it is allowed to call any static method of any Java class in the classpath resulting in code execution.

How to mitigate CVE-2022-41853

Install updates from vendor's website.

Sources

http://hsqldb.org/doc/2.0/guide/sqlroutines-chapt.html#src_jrt_access_control
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=50212#c7

Exposed dangerous method or function in HyperSQL database - CVE-2022-41853

Detailed vulnerability description

How to mitigate CVE-2022-41853

Sources

Please verify you're human