cbcvebase.
CVE-2022-46337
published 2023-11-20

CVE-2022-46337: A cleverly devised username might bypass LDAP authentication checks. In LDAP-authenticated Derby installations, this could let an attacker fill up the disk by…

PriorityP261critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
1.42%
69.4th percentile
A cleverly devised username might bypass LDAP authentication checks. In LDAP-authenticated Derby installations, this could let an attacker fill up the disk by creating junk Derby databases. In LDAP-authenticated Derby installations, this could also allow the attacker to execute malware which was visible to and executable by the account which booted the Derby server. In LDAP-protected databases which weren't also protected by SQL GRANT/REVOKE authorization, this vulnerability could also let an attacker view and corrupt sensitive data and run sensitive database functions and procedures. Mitigation: Users should upgrade to Java 21 and Derby 10.17.1.0. Alternatively, users who wish to remain on older Java versions should build their own Derby distribution from one of the release families to which the fix was backported: 10.16, 10.15, and 10.14. Those are the releases which correspond, respectively, with Java LTS versions 17, 11, and 8.

Affected

22 ranges
VendorProductVersion rangeFixed in
apachederby
apachederby>= 0 < 10.14.2.0-310.14.2.0-3
apachederby>= 0 < 10.14.2.0-310.14.2.0-3
apachederby>= 10.1.1.0 < 10.14.3.010.14.3.0
apachederby>= 10.15.1.3 < 10.15.2.110.15.2.1
apache_software_foundationapache_derby
apache_software_foundationapache_derby
apache_software_foundationapache_derby
apache_software_foundationapache_derby
apache_software_foundationapache_derby
apache_software_foundationapache_derby
apache_software_foundationapache_derby
apache_software_foundationapache_derby10.1.1.0 – 10.1.3.1
apache_software_foundationapache_derby10.10.1.1 – 10.10.2.0
apache_software_foundationapache_derby10.15.1.3 – 10.15.2.0
apache_software_foundationapache_derby10.2.1.6 – 10.2.2.0
apache_software_foundationapache_derby10.3.1.4 – 10.3.3.0
apache_software_foundationapache_derby10.4.1.3 – 10.4.2.0
apache_software_foundationapache_derby10.5.1.1 – 10.5.3.0
apache_software_foundationapache_derby10.6.1.0 – 10.6.2.1
apache_software_foundationapache_derby10.8.1.2 – 10.8.3.0
debianderby< derby 10.14.2.0-3 (forky)derby 10.14.2.0-3 (forky)

Detection & IOCsextracted from sources · hover to see the quote

  • LDAP authentication bypass via crafted username in Apache Derby; monitor for unexpected Derby database creation (disk fill) or execution of processes under the Derby server account
  • In LDAP-protected Derby deployments without SQL GRANT/REVOKE authorization, watch for unauthorized data access or execution of database functions/procedures by unauthenticated users
  • Exploitable remotely over HTTP with CVSS 9.8; prioritize detection on network-exposed Derby instances using LDAP authentication
  • ·Vulnerability only affects Derby installations configured to use LDAP authentication; Derby instances using native or no authentication are not impacted by this specific bypass
  • ·Additional SQL GRANT/REVOKE authorization layered on top of LDAP authentication limits the blast radius; databases without this second layer are fully exposed to data access and corruption
  • ·Fixed versions are Derby 10.17.1.0 (Java 21), 10.16.x (Java 17), 10.15.x (Java 11), and 10.14.x (Java 8); Debian bookworm and bullseye remain open/unpatched as of advisory publication

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
osv9.8CRITICAL
vendor_debian9.8CRITICAL
vendor_oracle9.8CRITICAL
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.