Katherine Marsden

Name of the Vulnerable Software and Affected Versions: Apache Derby versions 10.1.2.1, 10.2.2.0, 10.3.1.4, and 10.4.1.3 Description: The issue in Apache Derby allows an attacker to potentially overwrite an existing file during Export processing. Recommendations: For Apache Derby version 10.1.2.1, update to a version that fixes the issue. For Apache Derby version 10.2.2.0, update to a version that fixes the issue. For Apache Derby version 10.3.1.4, update to a version that fixes the issue. For Apache Derby version 10.4.1.3, update to a version that fixes the issue.

Name of the Vulnerable Software and Affected Versions: Apache Derby versions prior to 10.1.2.1 Description: The issue exposes the `user` and `password` attributes in cleartext via the RDBNAM parameter of the ACCSEC command and the output of the `DatabaseMetaData.getURL` function, allowing attackers to obtain sensitive information. Recommendations: For Apache Derby versions prior to 10.1.2.1, update to version 10.1.2.1 or later to resolve the issue. As a temporary workaround, consider restricting access to the ACCSEC command and the `DatabaseMetaData.getURL` function to minimize the risk of exploitation. Avoid using the `user` and `password` attributes in cleartext until the issue is resolved.