Description

Those using java.sql.Statement or java.sql.PreparedStatement in hsqldb (HyperSQL DataBase) to process untrusted input may be vulnerable to a remote code execution attack. By default it is allowed to call any static method of any Java class in the classpath resulting in code execution. The issue can be prevented by updating to 2.7.1 or by setting the system property "hsqldb.method_class_names" to classes which are allowed to be called. For example, System.setProperty("hsqldb.method_class_names", "abc") or Java argument -Dhsqldb.method_class_names="abc" can be used. From version 2.7.1 all classes by default are not accessible except those in java.lang.Math and need to be manually enabled.

Remediation

References

http://hsqldb.org/doc/2.0/guide/sqlroutines-chapt.html#src_jrt_access_control

https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=50212#c7

https://lists.debian.org/debian-lts-announce/2022/12/msg00020.html

https://www.debian.org/security/2023/dsa-5313

Related Vulnerabilities

CVE-2021-25978 Vulnerability in npm package apostrophe

CVE-2019-10476 Vulnerability in maven package org.jenkins-ci.plugins:zulip

CVE-2020-2119 Vulnerability in maven package org.jenkins-ci.plugins:azure-ad

CVE-2019-14540 Vulnerability in maven package com.fasterxml.jackson.core:jackson-databind

CVE-2016-3086 Vulnerability in maven package org.apache.hadoop:hadoop-common

Severity

Critical

Classification

CWE-470 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Tags

Third Party Advisory Mailing List