CVSS: 9.8EPSS: 0%CPEs: 3EXPL: 0CVE-2022-46337 – Apache Derby: LDAP injection vulnerability in authenticator
https://notcve.org/view.php?id=CVE-2022-46337
A cleverly devised username might bypass LDAP authentication checks. In LDAP-authenticated Derby installations, this could let an attacker fill up the disk by creating junk Derby databases. In LDAP-authenticated Derby installations, this could also allow the attacker to execute malware which was visible to and executable by the account which booted the Derby server. In LDAP-protected databases which weren't also protected by SQL GRANT/REVOKE authorization, this vulnerability could also let an attacker view and corrupt sensitive data and run sensitive database functions and procedures. Mitigation: Users should upgrade to Java 21 and Derby 10.17.1.0. Alternatively, users who wish to remain on older Java versions should build their own Derby distribution from one of the release families to which the fix was backported: 10.16, 10.15, and 10.14. Those are the releases which correspond, respectively, with Java LTS versions 17, 11, and 8. • https://lists.apache.org/thread/q23kvvtoohgzwybxpwozmvvk17rp0td3 • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') •
CVSS: 9.1EPSS: 0%CPEs: 20EXPL: 0CVE-2015-1832
https://notcve.org/view.php?id=CVE-2015-1832
XML external entity (XXE) vulnerability in the SqlXmlUtil code in Apache Derby before 10.12.1.1, when a Java Security Manager is not in place, allows context-dependent attackers to read arbitrary files or cause a denial of service (resource consumption) via vectors involving XmlVTI and the XML datatype. Vulnerabilidad de XXE en el código SqlXmlUtil en Apache Derby en versiones anteriores a 10.12.1.1, cuando un Java Security Manager no está en su lugar, permite a atacantes depedientes del contexto leer archivos arbitrarios o provocar una denegación de servicio (consumo de recursos) a través de vectores que implican XmlVTI y el tipo de datos XML. • http://www-01.ibm.com/support/docview.wss?uid=swg21990100 http://www.securityfocus.com/bid/93132 https://issues.apache.org/jira/browse/DERBY-6807 https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f%40%3Cdev.drill.apache.org%3E https://lists.apache.org/thread.html/708d94141126eac03011144a971a6411fcac16d9c248d1d535a39451%40%3Csolr-user.lucene.apache.org%3E https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442%40%3Cdev.drill.apache.org%3E https://lists.apache.org&#x • CWE-399: Resource Management Errors CWE-611: Improper Restriction of XML External Entity Reference •
CVSS: 2.1EPSS: 0%CPEs: 1EXPL: 0CVE-2009-4269
https://notcve.org/view.php?id=CVE-2009-4269
The password hash generation algorithm in the BUILTIN authentication functionality for Apache Derby before 10.6.1.0 performs a transformation that reduces the size of the set of inputs to SHA-1, which produces a small search space that makes it easier for local and possibly remote attackers to crack passwords by generating hash collisions, related to password substitution. El algoritmo de generación del hash de la contraseña en la funcionalidad autenticación BUILTIN de Apache Derby en versiones anteriores a la v10.6.1.0 realiza una transformación que reduce el tamaño del conjunto de entrada a SHA-1, lo que produce un espacio de búsqueda pequeño que facilita a usuarios locales y, posiblemente, remotos romper contraseñas generando colisiones de hash, relacionado con la substitución de contraseña. • http://blogs.sun.com/kah/entry/derby_10_6_1_has http://db.apache.org/derby/releases/release-10.6.1.0.cgi#Fix+for+Security+Bug+CVE-2009-4269 http://marc.info/?l=apache-db-general&m=127428514905504&w=1 http://marcellmajor.com/derbyhash.html http://secunia.com/advisories/42948 http://secunia.com/advisories/42970 http://www.oracle.com/technetwork/topics/security/cpujan2011-194091.html http://www.securityfocus.com/bid/42637 http://www.securitytracker.com/id?1024977 http:& • CWE-310: Cryptographic Issues •
CVSS: 4.0EPSS: 0%CPEs: 3EXPL: 0CVE-2006-7217
https://notcve.org/view.php?id=CVE-2006-7217
Apache Derby before 10.2.1.6 does not determine schema privilege requirements during the DropSchemaNode bind phase, which allows remote authenticated users to execute arbitrary drop schema statements in SQL authorization mode. Apache Derby anterior a 10.2.1.6 no determina los requerimientos de privilegios de esquema durante la fase DropSchemaNode, lo cual permite a usuarios autenticados remotos ejecutar instrucciones de borrado de esquema en modo de autorización SQL. • http://db.apache.org/derby/releases/release-10.2.1.6.html http://issues.apache.org/jira/browse/DERBY-1858 http://secunia.com/advisories/28636 http://www.novell.com/linux/security/advisories/suse_security_summary_report.html •
CVSS: 4.0EPSS: 0%CPEs: 3EXPL: 0CVE-2006-7216
https://notcve.org/view.php?id=CVE-2006-7216
Apache Derby before 10.2.1.6 does not determine privilege requirements for lock table statements at compilation time, and consequently does not enforce privilege requirements at execution time, which allows remote authenticated users to lock arbitrary tables. Apache Derby anterior a 10.2.1.6 no determina los requisitos de privilegios para las sentencias de bloqueo de tabla en tiempo de compilación, y consecuentemente no fuerza los requisitos de privilegios en tiempo de ejecución, lo cual permite a usuarios autenticados remotamente bloquear tablas de su elección. • http://db.apache.org/derby/releases/release-10.2.1.6.html http://issues.apache.org/jira/browse/DERBY-1708 •