V
Scaner-VS
ENRU
HomeCatalogSourcesCWECAPECATT&CKMitigationsProductsVendorsDocs
Back to catalog
CVE-2022-41853
DEB
CriticalConfirmedExploit available

Those using java.sql.Statement or java.sql.PreparedStatement in hsqldb (HyperSQL DataBase) to process untrusted input may be vulnerable to …

CVSS
9.8
Critical
EPSS
0.04
p87
Published
2022-01-01
Updated
2022-01-01
Description

Those using java.sql.Statement or java.sql.PreparedStatement in hsqldb (HyperSQL DataBase) to process untrusted input may be vulnerable to a remote code execution attack. By default it is allowed to call any static method of any Java class in the classpath resulting in code execution. The issue can be prevented by updating to 2.7.1 or by setting the system property "hsqldb.method_class_names" to classes which are allowed to be called. For example, System.setProperty("hsqldb.method_class_names", "abc") or Java argument -Dhsqldb.method_class_names="abc" can be used. From version 2.7.1 all classes by default are not accessible except those in java.lang.Math and need to be manually enabled.

Tags · CWE
Pre-auth
CWE-470
CAPEC-138
Affected products
Eap7-activemq-artemis-nativeEap7-activemq-artemis-nativeEap7-activemq-artemis-nativeEap7-apache-cxfEap7-apache-cxfEap7-apache-mime4jEap7-apache-mime4jEap7-apache-mime4jEap7-artemis-nativeEap7-artemis-nativeEap7-artemis-nativeEap7-artemis-wildfly-integrationEap7-artemis-wildfly-integrationEap7-artemis-wildfly-integrationEap7-avroEap7-avroEap7-bouncycastleEap7-h2databaseEap7-h2databaseEap7-infinispan
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Timeline
2022-01-01
Published
2022-01-01
Updated
CVSS 3.1 breakdown
Attack Vector
AV: N
Network (N)
Attack Complexity
AC: L
Low (L)
Privileges Required
PR: N
None (N)
User Interaction
UI: N
None (N)
Scope
S: U
Unchanged (U)
Confidentiality Impact
C: H
High (H)
Integrity Impact
I: H
High (H)
Availability Impact
A: H
High (H)
Exploit indicators
EPSS
0.035 · p87
Known exploited (KEV)
No
Known exploits — Сканер-ВС
CVE-2022-41853
github-poc · https://github.com/mbadanoiu/CVE-2022-41853
Enterprise
Affected products
Debian
Debian LinuxHsqldb
Canonical
Hsqldb
Red Hat
Eap7-wildflyEap7-undertowEap7-jboss-server-migrationEap7-ironjacamarEap7-wildfly-http-clientEap7-jboss-ejb-clientEap7-jackson-databindEap7-apache-cxfEap7-resteasyEap7-jboss-xnio-base+24
Hsqldb
Hypersql Database
ProductVendorStatus
eap7-activemq-artemis-nativeTracked
eap7-activemq-artemis-nativeTracked
eap7-activemq-artemis-nativeTracked
eap7-apache-cxfTracked
eap7-apache-cxfTracked
eap7-apache-mime4jTracked
eap7-apache-mime4jTracked
eap7-apache-mime4jTracked
eap7-artemis-nativeTracked
eap7-artemis-nativeTracked
eap7-artemis-nativeTracked
eap7-artemis-wildfly-integrationTracked
eap7-artemis-wildfly-integrationTracked
eap7-artemis-wildfly-integrationTracked
eap7-avroTracked
eap7-avroTracked
eap7-bouncycastleTracked
eap7-h2databaseTracked
eap7-h2databaseTracked
eap7-infinispanTracked
Showing first 20 of 98
Source databases
DEB
CVE
RED
UBU
Related vulnerabilities
BDU:2026-01710