UBUNTU-CVE-2022-41853

See a problem?
Please try reporting it to the source first.

Source

https://ubuntu.com/security/CVE-2022-41853

Import Source

https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2022/UBUNTU-CVE-2022-41853.json

JSON Data

https://api.osv.dev/v1/vulns/UBUNTU-CVE-2022-41853

Related

CVE-2022-41853

Published

2022-10-06T18:17:00Z

Modified

2024-10-15T14:10:13Z

Severity

9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

[none]

Details

Those using java.sql.Statement or java.sql.PreparedStatement in hsqldb (HyperSQL DataBase) to process untrusted input may be vulnerable to a remote code execution attack. By default it is allowed to call any static method of any Java class in the classpath resulting in code execution. The issue can be prevented by updating to 2.7.1 or by setting the system property "hsqldb.methodclassnames" to classes which are allowed to be called. For example, System.setProperty("hsqldb.methodclassnames", "abc") or Java argument -Dhsqldb.methodclassnames="abc" can be used. From version 2.7.1 all classes by default are not accessible except those in java.lang.Math and need to be manually enabled.

References

Affected packages

Ubuntu:Pro:16.04:LTS / hsqldb

Package

Name: hsqldb
Purl: pkg:deb/ubuntu/hsqldb?arch=src?distro=esm-apps/xenial

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

2.*

2.2.9+dfsg-4ubuntu1

2.3.3+dfsg2-1

Ecosystem specific

{
    "ubuntu_priority": "medium"
}

Ubuntu:Pro:18.04:LTS / hsqldb

Package

Name: hsqldb
Purl: pkg:deb/ubuntu/hsqldb?arch=src?distro=esm-apps/bionic

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

2.*

2.4.0-2

2.4.1-2~18.04

Ecosystem specific

{
    "ubuntu_priority": "medium"
}

Ubuntu:20.04:LTS / hsqldb

Package

Name: hsqldb
Purl: pkg:deb/ubuntu/hsqldb?arch=src?distro=focal

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

2.*

2.5.0-1build2

Ecosystem specific

{
    "ubuntu_priority": "medium"
}

Ubuntu:22.04:LTS / hsqldb

Package

Name: hsqldb
Purl: pkg:deb/ubuntu/hsqldb?arch=src?distro=jammy

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

2.*

2.5.1-1

2.6.0-1

2.6.1-1

Ecosystem specific

{
    "ubuntu_priority": "medium"
}

Ubuntu:24.10 / hsqldb

Package

Name: hsqldb
Purl: pkg:deb/ubuntu/hsqldb?arch=src?distro=oracular

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

2.*

2.7.2-1

Ecosystem specific

{
    "ubuntu_priority": "medium"
}

Ubuntu:24.04:LTS / hsqldb

Package

Name: hsqldb
Purl: pkg:deb/ubuntu/hsqldb?arch=src?distro=noble

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

2.*

2.7.2-1

Ecosystem specific

{
    "ubuntu_priority": "medium"
}