Description
OrientDB through 2.2.22 does not enforce privilege requirements during "where" or "fetchplan" or "order by" use, which allows remote attackers to execute arbitrary OS commands via a crafted request.
Remediation
References
http://www.heavensec.org/?p=1703
https://github.com/orientechnologies/orientdb/wiki/OrientDB-2.2-Release-Notes#2223---july-11-2017
Related Vulnerabilities
CVE-2022-24913 Vulnerability in maven package com.fasterxml.util:java-merge-sort
CVE-2021-23337 Vulnerability in maven package org.fujion.webjars:lodash
CVE-2021-31407 Vulnerability in maven package com.vaadin:flow-server
CVE-2022-41940 Vulnerability in maven package org.webjars.npm:engine.io
CVE-2023-49486 Vulnerability in maven package com.jfinal:jfinal