Remote Code Execution (RCE) Affecting org.hsqldb:hsqldb package, versions [,2.7.1)
Threat Intelligence
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-JAVA-ORGHSQLDB-3040860
- published 7 Oct 2022
- disclosed 6 Oct 2022
- credit OSS Fuzz Team
Introduced: 6 Oct 2022
CVE-2022-41853 Open this link in a new tabHow to fix?
Upgrade org.hsqldb:hsqldb
to version 2.7.1 or higher.
Overview
Affected versions of this package are vulnerable to Remote Code Execution (RCE) when using java.sql.Statement
or java.sql.PreparedStatement
to process untrusted input. By default, it is allowed to call any static method of any Java class in the classpath resulting in code execution.
Workaround
Users who are unable to upgrade to the fixed version can set the system property hsqldb.method_class_names
to classes which are allowed to be called. For example, System.setProperty("hsqldb.method_class_names", "abc")
or Java argument -Dhsqldb.method_class_names="abc"
can be used.