CVE Vulnerabilities

CVE-2022-46337

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

Published: Nov 20, 2023 | Modified: Apr 26, 2024
CVSS 3.x
9.8
CRITICAL
Source:
NVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVSS 2.x
RedHat/V2
RedHat/V3
Ubuntu
MEDIUM

A cleverly devised username might bypass LDAP authentication checks. In LDAP-authenticated Derby installations, this could let an attacker fill up the disk by creating junk Derby databases. In LDAP-authenticated Derby installations, this could also allow the attacker to execute malware which was visible to and executable by the account which booted the Derby server. In LDAP-protected databases which werent also protected by SQL GRANT/REVOKE authorization, this vulnerability could also let an attacker view and corrupt sensitive data and run sensitive database functions and procedures.

Mitigation:

Users should upgrade to Java 21 and Derby 10.17.1.0.

Alternatively, users who wish to remain on older Java versions should build their own Derby distribution from one of the release families to which the fix was backported: 10.16, 10.15, and 10.14. Those are the releases which correspond, respectively, with Java LTS versions 17, 11, and 8.

Weakness

The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.

Affected Software

Name Vendor Start Version End Version
Derby Apache 10.1.1.0 (including) 10.14.3.0 (excluding)
Derby Apache 10.15.1.3 (including) 10.15.2.1 (excluding)
Derby Apache 10.16.1.1 (including) 10.16.1.1 (including)
Derby Ubuntu bionic *
Derby Ubuntu lunar *
Derby Ubuntu mantic *
Derby Ubuntu trusty *
Derby Ubuntu xenial *

Potential Mitigations

References