CVE-2022-41853

Remote code execution in HyperSQL DataBase

Severity Score

9.8

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Track*

*SSVC

Descriptions

Those using java.sql.Statement or java.sql.PreparedStatement in hsqldb (HyperSQL DataBase) to process untrusted input may be vulnerable to a remote code execution attack. By default it is allowed to call any static method of any Java class in the classpath resulting in code execution. The issue can be prevented by updating to 2.7.1 or by setting the system property "hsqldb.method_class_names" to classes which are allowed to be called. For example, System.setProperty("hsqldb.method_class_names", "abc") or Java argument -Dhsqldb.method_class_names="abc" can be used. From version 2.7.1 all classes by default are not accessible except those in java.lang.Math and need to be manually enabled.

Aquellos que usan los archivos java.sql.Statement o java.sql.PreparedStatement en hsqldb (HyperSQL DataBase) para procesar entradas no confiables pueden ser vulnerables a un ataque de ejecución de código remota. Por defecto es permitido llamar a cualquier método estático de cualquier clase Java en el classpath, resultando en una ejecución de código. El problema puede evitarse al actualizar a versión 2.7.1 o al establecer la propiedad del sistema "hsqldb.method_class_names" a las clases a las que sea permitido llamar. Por ejemplo, puede usarse System.setProperty("hsqldb.method_class_names", "abc") o el argumento de Java -Dhsqldb.method_class_names="abc". A partir de la versión 2.7.1 todas las clases por defecto no son accesibles excepto las de java.lang.Math y deben ser habilitadas manualmente

A flaw was found in the HSQLDB package. This flaw allows untrusted inputs to execute remote code due to any static method of any Java class in the classpath, resulting in code execution by default.

Red Hat JBoss Enterprise Application Platform 7 is a platform for Java applications based on the WildFly application runtime. This release of Red Hat JBoss Enterprise Application Platform 7.4.10 serves as a replacement for Red Hat JBoss Enterprise Application Platform 7.4.9, and includes bug fixes and enhancements. See the Red Hat JBoss Enterprise Application Platform 7.4.10 Release Notes for information about the most significant bug fixes and enhancements included in this release. Issues addressed include code execution, denial of service, deserialization, and information leakage vulnerabilities.

*Credits: N/A

CVSS Scores

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Network

Attack Complexity

High

Privileges Required

Low

User Interaction

Required

Scope

Changed

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Network

Attack Complexity

Low

Authentication

None

Confidentiality

Complete

Integrity

Complete

Availability

Complete

* Common Vulnerability Scoring System

SSVC

Decision:Track*

Exploitation

None

Automatable

Tech. Impact

Total

* Organization's Worst-case Scenario

Timeline

2022-09-30 CVE Reserved
2022-10-06 CVE Published
2023-11-24 First Exploit
2025-04-18 EPSS Updated
2025-04-21 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date

CWE

CWE-470: Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')

CAPEC

References (7)

URL	Tag	Source
http://hsqldb.org/doc/2.0/guide/sqlroutines-chapt.html#src_jrt_access_control	Third Party Advisory
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=50212#c7	Mailing List
https://lists.debian.org/debian-lts-announce/2022/12/msg00020.html	Mailing List

URL	Date	SRC
https://github.com/mbadanoiu/CVE-2022-41853	2023-11-24

URL	Date	SRC

URL	Date	SRC
https://www.debian.org/security/2023/dsa-5313	2023-02-03
https://access.redhat.com/security/cve/CVE-2022-41853	2024-11-25
https://bugzilla.redhat.com/show_bug.cgi?id=2136141	2024-11-25

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Hsqldb Search vendor "Hsqldb"		Hypersql Database Search vendor "Hsqldb" for product "Hypersql Database"				< 2.7.1 Search vendor "Hsqldb" for product "Hypersql Database" and version " < 2.7.1"		-		Affected
Debian Search vendor "Debian"		Debian Linux Search vendor "Debian" for product "Debian Linux"				10.0 Search vendor "Debian" for product "Debian Linux" and version "10.0"		-		Affected
Debian Search vendor "Debian"		Debian Linux Search vendor "Debian" for product "Debian Linux"				11.0 Search vendor "Debian" for product "Debian Linux" and version "11.0"		-		Affected