CVSS: 10.0EPSS: 0%CPEs: 3EXPL: 0CVE-2022-46337 – Apache Derby: LDAP injection vulnerability in authenticator
https://notcve.org/view.php?id=CVE-2022-46337
20 Nov 2023 — A cleverly devised username might bypass LDAP authentication checks. In LDAP-authenticated Derby installations, this could let an attacker fill up the disk by creating junk Derby databases. In LDAP-authenticated Derby installations, this could also allow the attacker to execute malware which was visible to and executable by the account which booted the Derby server. In LDAP-protected databases which weren't also protected by SQL GRANT/REVOKE authorization, this vulnerability could also let an attacker view ... • https://lists.apache.org/thread/q23kvvtoohgzwybxpwozmvvk17rp0td3 • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') •
CVSS: 5.3EPSS: 0%CPEs: 2EXPL: 1CVE-2018-1313
https://notcve.org/view.php?id=CVE-2018-1313
07 May 2018 — In Apache Derby 10.3.1.4 to 10.14.1.0, a specially-crafted network packet can be used to request the Derby Network Server to boot a database whose location and contents are under the user's control. If the Derby Network Server is not running with a Java Security Manager policy file, the attack is successful. If the server is using a policy file, the policy file must permit the database location to be read for the attack to work. The default Derby Network Server policy file distributed with the affected rele... • https://github.com/tafamace/CVE-2018-1313 •
CVSS: 7.5EPSS: 1%CPEs: 4EXPL: 0CVE-2010-2232
https://notcve.org/view.php?id=CVE-2010-2232
23 Oct 2017 — In Apache Derby 10.1.2.1, 10.2.2.0, 10.3.1.4, and 10.4.1.3, Export processing may allow an attacker to overwrite an existing file. En Apache Derby 10.1.2.1, 10.2.2.0, 10.3.1.4 y 10.4.1.3, el procesamiento de Export puede permitir que un atacante sobrescriba un archivo existente. • http://db.apache.org/derby/releases/release-10.6.2.1.html#Note+for+DERBY-2925 • CWE-284: Improper Access Control •
CVSS: 9.1EPSS: 0%CPEs: 20EXPL: 0CVE-2015-1832
https://notcve.org/view.php?id=CVE-2015-1832
03 Oct 2016 — XML external entity (XXE) vulnerability in the SqlXmlUtil code in Apache Derby before 10.12.1.1, when a Java Security Manager is not in place, allows context-dependent attackers to read arbitrary files or cause a denial of service (resource consumption) via vectors involving XmlVTI and the XML datatype. Vulnerabilidad de XXE en el código SqlXmlUtil en Apache Derby en versiones anteriores a 10.12.1.1, cuando un Java Security Manager no está en su lugar, permite a atacantes depedientes del contexto leer archi... • http://www-01.ibm.com/support/docview.wss?uid=swg21990100 • CWE-399: Resource Management Errors CWE-611: Improper Restriction of XML External Entity Reference •
CVSS: 4.0EPSS: 0%CPEs: 1EXPL: 0CVE-2009-4269
https://notcve.org/view.php?id=CVE-2009-4269
16 Aug 2010 — The password hash generation algorithm in the BUILTIN authentication functionality for Apache Derby before 10.6.1.0 performs a transformation that reduces the size of the set of inputs to SHA-1, which produces a small search space that makes it easier for local and possibly remote attackers to crack passwords by generating hash collisions, related to password substitution. El algoritmo de generación del hash de la contraseña en la funcionalidad autenticación BUILTIN de Apache Derby en versiones anteriores a... • http://blogs.sun.com/kah/entry/derby_10_6_1_has • CWE-310: Cryptographic Issues •