Vulnerability Details : CVE-2022-41853
Those using java.sql.Statement or java.sql.PreparedStatement in hsqldb (HyperSQL DataBase) to process untrusted input may be vulnerable to a remote code execution attack. By default it is allowed to call any static method of any Java class in the classpath resulting in code execution. The issue can be prevented by updating to 2.7.1 or by setting the system property "hsqldb.method_class_names" to classes which are allowed to be called. For example, System.setProperty("hsqldb.method_class_names", "abc") or Java argument -Dhsqldb.method_class_names="abc" can be used. From version 2.7.1 all classes by default are not accessible except those in java.lang.Math and need to be manually enabled.
Vulnerability category: Execute code
Products affected by CVE-2022-41853
- cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*
- cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*
- cpe:2.3:a:hsqldb:hypersql_database:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2022-41853
2.50%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 90 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2022-41853
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
8.0
|
HIGH | CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H |
1.3
|
6.0
|
Google Inc. | |
9.8
|
CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
3.9
|
5.9
|
NIST |
CWE ids for CVE-2022-41853
-
The product uses external input with reflection to select which classes or code to use, but it does not sufficiently prevent the input from selecting improper classes or code.Assigned by: cve-coordination@google.com (Secondary)
References for CVE-2022-41853
-
http://hsqldb.org/doc/2.0/guide/sqlroutines-chapt.html#src_jrt_access_control
Chapter 9. SQL-Invoked RoutinesThird Party Advisory
-
https://lists.debian.org/debian-lts-announce/2022/12/msg00020.html
[SECURITY] [DLA 3234-1] hsqldb security updateMailing List;Third Party Advisory
-
https://www.debian.org/security/2023/dsa-5313
Debian -- Security Information -- DSA-5313-1 hsqldbThird Party Advisory
-
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=50212#c7
50212 - hsqldb:SqlPreparedStatementFuzzer: Security exception in jaz.Zer.<clinit> - oss-fuzzMailing List;Third Party Advisory
Jump to