Loading HuntDB...
Hunt
Vulnerability Intelligence by wss.sh
Home Daily Briefings High Impact CVEs Recent Exploits KEV Catalog GitHub Advisories Latest Updates Security News
Sign In Sign Up

CVE-2022-46337

UNKNOWN
Published 2023-11-20T08:49:38.619Z
Actions:

Expert Analysis

Professional remediation guidance

Get tailored security recommendations from our analyst team for CVE-2022-46337. We'll provide specific mitigation strategies based on your environment and risk profile.

No CVSS data available

Description

A cleverly devised username might bypass LDAP authentication checks. In
LDAP-authenticated Derby installations, this could let an attacker fill
up the disk by creating junk Derby databases. In LDAP-authenticated
Derby installations, this could also allow the attacker to execute
malware which was visible to and executable by the account which booted
the Derby server. In LDAP-protected databases which weren't also
protected by SQL GRANT/REVOKE authorization, this vulnerability could
also let an attacker view and corrupt sensitive data and run sensitive
database functions and procedures.

Mitigation:

Users should upgrade to Java 21 and Derby 10.17.1.0.

Alternatively, users who wish to remain on older Java versions should
build their own Derby distribution from one of the release families to
which the fix was backported: 10.16, 10.15, and 10.14. Those are the
releases which correspond, respectively, with Java LTS versions 17, 11,
and 8.

Available Exploits

No exploits available for this CVE.

Related News

No news articles found for this CVE.

Affected Products

Apache Software Foundation

Apache Derby

Affected Versions:

10.1.1.0 10.2.1.6 10.3.1.4 10.4.1.3 10.5.1.1 10.6.1.0 10.7.1.1 10.8.1.2 10.9.1.0 10.10.1.1 10.11.1.1 10.12.1.1 10.13.1.1 10.14.2.0 10.15.1.3 10.16.1.1

GitHub Security Advisories

Community-driven vulnerability intelligence from GitHub

✓ GitHub Reviewed CRITICAL

Apache Derby: LDAP injection vulnerability in authenticator

GHSA-rcjc-c4pj-xxrp

Advisory Details

A cleverly devised username might bypass LDAP authentication checks. In LDAP-authenticated Derby installations, this could let an attacker fill up the disk by creating junk Derby databases. In LDAP-authenticated Derby installations, this could also allow the attacker to execute malware which was visible to and executable by the account which booted the Derby server. In LDAP-protected databases which weren't also protected by SQL GRANT/REVOKE authorization, this vulnerability could also let an attacker view and corrupt sensitive data and run sensitive database functions and procedures. Mitigation: Users should upgrade to Java 21 and Derby 10.17.1.0. Alternatively, users who wish to remain on older Java versions should build their own Derby distribution from one of the release families to which the fix was backported: 10.16, 10.15, and 10.14. Those are the releases which correspond, respectively, with Java LTS versions 17, 11, and 8.

Affected Packages

Maven org.apache.derby:derby
ECOSYSTEM: ≥10.1.1.0 <10.14.3
Maven org.apache.derby:derby
ECOSYSTEM: ≥10.15.0.0 <10.15.2.1
Maven org.apache.derby:derby
ECOSYSTEM: ≥10.16.0.0 <10.16.1.2
Maven org.apache.derby:derby
ECOSYSTEM: ≥10.17.0.0 <10.17.1.0

CVSS Scoring

CVSS Score

9.0

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References

ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2022-46337
PACKAGE https://github.com/apache/derby
WEB https://issues.apache.org/jira/browse/DERBY-7147
WEB https://lists.apache.org/thread/q23kvvtoohgzwybxpwozmvvk17rp0td3

Advisory provided by GitHub Security Advisory Database. Published: November 20, 2023, Modified: January 22, 2024

References

https://lists.apache.org/thread/q23kvvtoohgzwybxpwozmvvk17rp0td3
Published: 2023-11-20T08:49:38.619Z
Last Modified: 2024-08-03T14:31:46.301Z
Copied to clipboard!