Vulnerability DatabaseCVE-2022-41853
Mend.io Vulnerability Database
The largest open source vulnerability database
What is a Vulnerability ID?
New vulnerability? Tell us about it!
CVE-2022-41853
October 06, 2022
Those using java.sql.Statement or java.sql.PreparedStatement in hsqldb (HyperSQL DataBase) to process untrusted input may be vulnerable to a remote code execution attack. By default it is allowed to call any static method of any Java class in the classpath resulting in code execution. The issue can be prevented by updating to 2.7.1 or by setting the system property "hsqldb.method_class_names" to classes which are allowed to be called. For example, System.setProperty("hsqldb.method_class_names", "abc") or Java argument -Dhsqldb.method_class_names="abc" can be used. From version 2.7.1 all classes by default are not accessible except those in java.lang.Math and need to be manually enabled.
Related Resources (7)
http://hsqldb.org/doc/2.0/guide/sqlroutines-chapt.html#src_jrt_access_control
https://www.debian.org/security/2023/dsa-5313
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=50212#c7
https://sourceforge.net/projects/hsqldb
https://nvd.nist.gov/vuln/detail/CVE-2022-41853
https://lists.debian.org/debian-lts-announce/2022/12/msg00020.html
https://access.redhat.com/security/cve/CVE-2022-41853
Do you need more information?
Contact Us
CVSS v4
Base Score:
8.9
Attack Vector
NETWORK
Attack Complexity
HIGH
Attack Requirements
NONE
Privileges Required
LOW
User Interaction
PASSIVE
Vulnerable System Confidentiality
HIGH
Vulnerable System Integrity
HIGH
Vulnerable System Availability
HIGH
Subsequent System Confidentiality
HIGH
Subsequent System Integrity
HIGH
Subsequent System Availability
HIGH
CVSS v3
Base Score:
8
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
LOW
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality
HIGH
Integrity
HIGH
Availability
HIGH
Weakness Type (CWE)
Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')
CWE-470
EPSS
Base Score:
70.56