Main Vulnerability Database Vulnerabilities #VU69302

#VU69302 Exposed dangerous method or function in HyperSQL database - CVE-2022-41853

Published: November 14, 2022 / Updated: December 6, 2023

Vulnerability identifier: #VU69302

Vulnerability risk: High

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/U:Amber

CVE-ID: CVE-2022-41853

CWE-ID: CWE-749

Exploitation vector: Remote access

Exploit availability: Public exploit is available

Vulnerable software:
HyperSQL database

Software vendor:
HSQLDB

Description

The vulnerability allows a remote attacker to compromise the affected system.

The vulnerability exists due to missing authorization when using java.sql.Statement or java.sql.PreparedStatement in hsqldb. By default it is allowed to call any static method of any Java class in the classpath resulting in code execution.

Remediation

Install updates from vendor's website.

External links

http://hsqldb.org/doc/2.0/guide/sqlroutines-chapt.html#src_jrt_access_control
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=50212#c7