CVE-2022-46337 — Injection in Apache Derby

CWE-74 — Injection CWE-94 — Code Injection8 documents6 sources

Severity

9.8CRITICALNVD

EPSS

0.0%

top 85.77%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Derby Apache Software Foundation Apache Derby

Timeline

PublishedNov 20

Latest updateOct 15

Description

A cleverly devised username might bypass LDAP authentication checks. In LDAP-authenticated Derby installations, this could let an attacker fill up the disk by creating junk Derby databases. In LDAP-authenticated Derby installations, this could also allow the attacker to execute malware which was visible to and executable by the account which booted the Derby server. In LDAP-protected databases which weren't also protected by SQL GRANT/REVOKE authorization, this vulnerability could also let an at…

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages3 packages

▶NVDapache/derby10.1.1.0 — 10.14.3.0+2

▶Debianapache/derby< 10.14.2.0-3+1

▶CVEListV5apache_software_foundation/apache_derby10.1.1.0 — 10.1.3.1+15

🔴Vulnerability Details

GHSA

Apache Derby: LDAP injection vulnerability in authenticator↗2023-11-20

▶

OSV

CVE-2022-46337: A cleverly devised username might bypass LDAP authentication checks↗2023-11-20

▶

CVEList

Apache Derby: LDAP injection vulnerability in authenticator↗2023-11-20

▶

OSV

Apache Derby: LDAP injection vulnerability in authenticator↗2023-11-20

▶

📋Vendor Advisories

Oracle

Oracle Oracle Commerce Risk Matrix: Workbench (Apache Derby) — CVE-2022-46337↗2024-10-15

▶

Oracle

Oracle Oracle Enterprise Manager Risk Matrix: Load Testing for Web Apps (Apache Derby) — CVE-2022-46337↗2024-04-15

▶

Debian

CVE-2022-46337: derby - A cleverly devised username might bypass LDAP authentication checks. In LDAP-au...↗2022

▶