Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CVE-2022-46337
Summary
A cleverly devised username might bypass LDAP authentication checks in versions prior to 10.14.3, 10.15.0.x prior to 10.15.2.1, 10.16.0.x prior to 10.16.1.2, and 10.17.0.x prior to 10.17.1.0. In LDAP-authenticated Derby installations, this could let an attacker fill up the disk by creating junk Derby databases. In LDAP-authenticated Derby installations, this could also allow the attacker to execute malware which was visible to and executable by the account which booted the Derby server. In LDAP-protected databases which weren't also protected by SQL GRANT/REVOKE authorization, this vulnerability could also let an attacker view and corrupt sensitive data and run sensitive database functions and procedures. Alternatively, users who wish to remain on older Java versions should build their own Derby distribution from one of the release families to which the fix was backported. Those are the releases which correspond, respectively, with Java LTS versions 17, 11, and 8.
- LOW
- NETWORK
- HIGH
- UNCHANGED
- NONE
- NONE
- HIGH
- HIGH
CWE-74 - Injection
Listed as the number one web application security risk on the 'OWASP Top Ten', injection attacks are widespread and dangerous, especially in legacy applications. Injection attacks are a class of vulnerabilities in which an attacker injects untrusted data into a web application that gets processed by an interpreter, altering the program's execution. This can result in data loss/theft, loss of data integrity, denial of service, and even compromising the entire system.
References
Advisory Timeline
- Published