PT-2022-26099 · Hsqldb+4 · Hsqldb+4

Published

2022-06-10

Updated

2023-12-22

CVE-2022-41853

CVSS v2.0

Critical

Vector

AV:N/AC:L/Au:N/C:C/I:C/A:C

Name of the Vulnerable Software and Affected Versions hsqldb versions prior to 2.7.1

Description The issue affects those using java.sql.Statement or java.sql.PreparedStatement in hsqldb to process untrusted input, making them vulnerable to a remote code execution attack. By default, it is allowed to call any static method of any Java class in the classpath, resulting in code execution.

Recommendations For versions prior to 2.7.1, update to 2.7.1 or set the system property hsqldb.method class names to classes which are allowed to be called, for example, by using System.setProperty("hsqldb.method class names", "abc") or Java argument -Dhsqldb.method class names="abc".

Fix

RCE

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-470

Related Identifiers

BDU:2026-01710

CESA-2022_8560

CVE-2022-41853

DLA-3234-1

DSA-5313-1

GHSA-77XX-RXVH-Q682

OESA-2023-1924

OESA-2023-1944

OPENSUSE-SU-2022_3823-1

OPENSUSE-SU-2024:12450-1

RHSA-2022:8559

RHSA-2022:8560

RHSA-2022_8559

RHSA-2022_8560

RHSA-2023:1512

RHSA-2023:1513

RHSA-2023:1514

RHSA-2024:10207

RHSA-2024:10208

SUSE-SU-2022:3823-1

SUSE-SU-2022:3864-1

SUSE-SU-2022_3864-1

Affected Products

Astra Linux

Centos

Red Hat

Suse

Hsqldb

PT-2022-26099 · Hsqldb+4 · Hsqldb+4

CVE-2022-41853

Weakness Enumeration

Related Identifiers

Affected Products

References · 32