Get a Demo

Let's Patch It!

Book a short call with one our specialists, we'll walk you through how Endor Patches work, and ask you a few questions about your environment (like your primary programming languages and repository management). We'll also send you an email right after you fill out the form, feel free to reply with any questions you have in advance!

Back to All

CVE

CVE-2022-41853

HyperSQL DataBase vulnerable to remote code execution when processing untrusted input

Description

Those using java.sql.Statement or java.sql.PreparedStatement in hsqldb (HyperSQL DataBase) to process untrusted input may be vulnerable to a remote code execution attack. By default it is allowed to call any static method of any Java class in the classpath resulting in code execution. The issue can be prevented by updating to 2.7.1 or by setting the system property "hsqldb.methodclassnames" to classes which are allowed to be called. For example, System.setProperty("hsqldb.methodclassnames", "abc") or Java argument -Dhsqldb.methodclassnames="abc" can be used. From version 2.7.1 all classes by default are not accessible except those in java.lang.Math and need to be manually enabled.

Base CVSS

9.8

EPSS Score

70.65%

Introduced Version

1.8.0.10

Fix Available

2.7.1

Fix without Upgrading

Available Patches

Package

CVEs Fixed

Lines of Code Changed

References

https://lists.debian.org/debian-lts-announce/2022/12/msg00020.html

https://www.debian.org/security/2023/dsa-5313

http://hsqldb.org/doc/2.0/guide/sqlroutines-chapt.html#src_jrt_access_control

https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=50212#c7

https://sourceforge.net/projects/hsqldb

https://nvd.nist.gov/vuln/detail/CVE-2022-41853

AppSec for the Software Development Revolution

Endor Labs builds a complete graph of your software estate, so teams can pinpoint and fix critical risks in complex, dependency-rich code—whether it was written by humans or AI.

Welcome to the resistance

Oops! Something went wrong, please try again.