Vulnerabilites related to apache - derby
cve-2006-7217
Vulnerability from cvelistv5
Published
2007-07-05 20:00
Modified
2024-08-07 20:57
Severity ?
EPSS score ?
Summary
Apache Derby before 10.2.1.6 does not determine schema privilege requirements during the DropSchemaNode bind phase, which allows remote authenticated users to execute arbitrary drop schema statements in SQL authorization mode.
References
| ▼ | URL | Tags |
|---|---|---|
| http://www.novell.com/linux/security/advisories/suse_security_summary_report.html | vendor-advisory, x_refsource_SUSE | |
| http://db.apache.org/derby/releases/release-10.2.1.6.html | x_refsource_CONFIRM | |
| http://issues.apache.org/jira/browse/DERBY-1858 | x_refsource_CONFIRM | |
| http://secunia.com/advisories/28636 | third-party-advisory, x_refsource_SECUNIA |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-07T20:57:41.006Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "SUSE-SR:2008:002",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "http://www.novell.com/linux/security/advisories/suse_security_summary_report.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://db.apache.org/derby/releases/release-10.2.1.6.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://issues.apache.org/jira/browse/DERBY-1858"
},
{
"name": "28636",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/28636"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2006-10-01T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Apache Derby before 10.2.1.6 does not determine schema privilege requirements during the DropSchemaNode bind phase, which allows remote authenticated users to execute arbitrary drop schema statements in SQL authorization mode."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2008-02-01T10:00:00",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "SUSE-SR:2008:002",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "http://www.novell.com/linux/security/advisories/suse_security_summary_report.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://db.apache.org/derby/releases/release-10.2.1.6.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://issues.apache.org/jira/browse/DERBY-1858"
},
{
"name": "28636",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/28636"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2006-7217",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Apache Derby before 10.2.1.6 does not determine schema privilege requirements during the DropSchemaNode bind phase, which allows remote authenticated users to execute arbitrary drop schema statements in SQL authorization mode."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "SUSE-SR:2008:002",
"refsource": "SUSE",
"url": "http://www.novell.com/linux/security/advisories/suse_security_summary_report.html"
},
{
"name": "http://db.apache.org/derby/releases/release-10.2.1.6.html",
"refsource": "CONFIRM",
"url": "http://db.apache.org/derby/releases/release-10.2.1.6.html"
},
{
"name": "http://issues.apache.org/jira/browse/DERBY-1858",
"refsource": "CONFIRM",
"url": "http://issues.apache.org/jira/browse/DERBY-1858"
},
{
"name": "28636",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/28636"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2006-7217",
"datePublished": "2007-07-05T20:00:00",
"dateReserved": "2007-07-05T00:00:00",
"dateUpdated": "2024-08-07T20:57:41.006Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2022-46337
Vulnerability from cvelistv5
Published
2023-11-20 08:49
Modified
2024-08-03 14:31
Severity ?
EPSS score ?
Summary
A cleverly devised username might bypass LDAP authentication checks. In
LDAP-authenticated Derby installations, this could let an attacker fill
up the disk by creating junk Derby databases. In LDAP-authenticated
Derby installations, this could also allow the attacker to execute
malware which was visible to and executable by the account which booted
the Derby server. In LDAP-protected databases which weren't also
protected by SQL GRANT/REVOKE authorization, this vulnerability could
also let an attacker view and corrupt sensitive data and run sensitive
database functions and procedures.
Mitigation:
Users should upgrade to Java 21 and Derby 10.17.1.0.
Alternatively, users who wish to remain on older Java versions should
build their own Derby distribution from one of the release families to
which the fix was backported: 10.16, 10.15, and 10.14. Those are the
releases which correspond, respectively, with Java LTS versions 17, 11,
and 8.
References
| ▼ | URL | Tags |
|---|---|---|
| https://lists.apache.org/thread/q23kvvtoohgzwybxpwozmvvk17rp0td3 | vendor-advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ▼ | Apache Software Foundation | Apache Derby |
Version: 10.1.1.0 ≤ 10.1.3.1 Version: 10.2.1.6 ≤ 10.2.2.0 Version: 10.3.1.4 ≤ 10.3.3.0 Version: 10.4.1.3 ≤ 10.4.2.0 Version: 10.5.1.1 ≤ 10.5.3.0 Version: 10.6.1.0 ≤ 10.6.2.1 Version: 10.7.1.1 Version: 10.8.1.2 ≤ 10.8.3.0 Version: 10.9.1.0 Version: 10.10.1.1 ≤ 10.10.2.0 Version: 10.11.1.1 Version: 10.12.1.1 Version: 10.13.1.1 Version: 10.14.2.0 Version: 10.15.1.3 ≤ 10.15.2.0 Version: 10.16.1.1 |
|
|
|||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T14:31:46.301Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.apache.org/thread/q23kvvtoohgzwybxpwozmvvk17rp0td3"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://repo1.maven.org/maven2",
"defaultStatus": "unaffected",
"packageName": "org.apache.derby",
"product": "Apache Derby",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThanOrEqual": "10.1.3.1",
"status": "affected",
"version": "10.1.1.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "10.2.2.0",
"status": "affected",
"version": "10.2.1.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "10.3.3.0",
"status": "affected",
"version": "10.3.1.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "10.4.2.0",
"status": "affected",
"version": "10.4.1.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "10.5.3.0",
"status": "affected",
"version": "10.5.1.1",
"versionType": "semver"
},
{
"lessThanOrEqual": "10.6.2.1",
"status": "affected",
"version": "10.6.1.0",
"versionType": "semver"
},
{
"status": "affected",
"version": "10.7.1.1"
},
{
"lessThanOrEqual": "10.8.3.0",
"status": "affected",
"version": "10.8.1.2",
"versionType": "semver"
},
{
"status": "affected",
"version": "10.9.1.0"
},
{
"lessThanOrEqual": "10.10.2.0",
"status": "affected",
"version": "10.10.1.1",
"versionType": "semver"
},
{
"status": "affected",
"version": "10.11.1.1"
},
{
"status": "affected",
"version": "10.12.1.1"
},
{
"status": "affected",
"version": "10.13.1.1"
},
{
"status": "affected",
"version": "10.14.2.0"
},
{
"lessThanOrEqual": "10.15.2.0",
"status": "affected",
"version": "10.15.1.3",
"versionType": "semver"
},
{
"status": "affected",
"version": "10.16.1.1"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "This issue was discovered by \ufeff4ra1n and Y4tacker, who also proposed the fix."
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "A cleverly devised username might bypass LDAP authentication checks. In \nLDAP-authenticated Derby installations, this could let an attacker fill \nup the disk by creating junk Derby databases. In LDAP-authenticated \nDerby installations, this could also allow the attacker to execute \nmalware which was visible to and executable by the account which booted \nthe Derby server. In LDAP-protected databases which weren\u0027t also \nprotected by SQL GRANT/REVOKE authorization, this vulnerability could \nalso let an attacker view and corrupt sensitive data and run sensitive \ndatabase functions and procedures.\n\u003cbr\u003e\n\u003cbr\u003eMitigation:\n\u003cbr\u003eUsers should upgrade to Java 21 and Derby 10.17.1.0.\n\u003cbr\u003eAlternatively, users who wish to remain on older Java versions should \nbuild their own Derby distribution from one of the release families to \nwhich the fix was backported: 10.16, 10.15, and 10.14. Those are the \nreleases which correspond, respectively, with Java LTS versions 17, 11, \nand 8.\n\u003cbr\u003e\n\u003cbr\u003e"
}
],
"value": "A cleverly devised username might bypass LDAP authentication checks. In \nLDAP-authenticated Derby installations, this could let an attacker fill \nup the disk by creating junk Derby databases. In LDAP-authenticated \nDerby installations, this could also allow the attacker to execute \nmalware which was visible to and executable by the account which booted \nthe Derby server. In LDAP-protected databases which weren\u0027t also \nprotected by SQL GRANT/REVOKE authorization, this vulnerability could \nalso let an attacker view and corrupt sensitive data and run sensitive \ndatabase functions and procedures.\n\nMitigation:\n\nUsers should upgrade to Java 21 and Derby 10.17.1.0.\n\nAlternatively, users who wish to remain on older Java versions should \nbuild their own Derby distribution from one of the release families to \nwhich the fix was backported: 10.16, 10.15, and 10.14. Those are the \nreleases which correspond, respectively, with Java LTS versions 17, 11, \nand 8.\n\n"
}
],
"metrics": [
{
"other": {
"content": {
"text": "low"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "LDAP Injection",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-01-03T17:04:10.464Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/q23kvvtoohgzwybxpwozmvvk17rp0td3"
}
],
"source": {
"defect": [
"DERBY-7147"
],
"discovery": "UNKNOWN"
},
"title": "Apache Derby: LDAP injection vulnerability in authenticator",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2022-46337",
"datePublished": "2023-11-20T08:49:38.619Z",
"dateReserved": "2022-11-29T16:35:03.918Z",
"dateUpdated": "2024-08-03T14:31:46.301Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2009-4269
Vulnerability from cvelistv5
Published
2010-08-16 19:00
Modified
2024-08-07 06:54
Severity ?
EPSS score ?
Summary
The password hash generation algorithm in the BUILTIN authentication functionality for Apache Derby before 10.6.1.0 performs a transformation that reduces the size of the set of inputs to SHA-1, which produces a small search space that makes it easier for local and possibly remote attackers to crack passwords by generating hash collisions, related to password substitution.
References
| ▼ | URL | Tags |
|---|---|---|
| http://marc.info/?l=apache-db-general&m=127428514905504&w=1 | mailing-list, x_refsource_MLIST | |
| http://secunia.com/advisories/42948 | third-party-advisory, x_refsource_SECUNIA | |
| https://issues.apache.org/jira/browse/DERBY-4483 | x_refsource_CONFIRM | |
| http://blogs.sun.com/kah/entry/derby_10_6_1_has | x_refsource_MISC | |
| http://www.vupen.com/english/advisories/2011/0149 | vdb-entry, x_refsource_VUPEN | |
| http://secunia.com/advisories/42970 | third-party-advisory, x_refsource_SECUNIA | |
| http://marcellmajor.com/derbyhash.html | x_refsource_MISC | |
| http://www.securitytracker.com/id?1024977 | vdb-entry, x_refsource_SECTRACK | |
| http://db.apache.org/derby/releases/release-10.6.1.0.cgi#Fix+for+Security+Bug+CVE-2009-4269 | x_refsource_CONFIRM | |
| http://www.securityfocus.com/bid/42637 | vdb-entry, x_refsource_BID | |
| http://www.oracle.com/technetwork/topics/security/cpujan2011-194091.html | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-07T06:54:10.308Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "[apache-db-general] 20100519 [ANNOUNCE] Apache Derby 10.6.1.0 released",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://marc.info/?l=apache-db-general\u0026m=127428514905504\u0026w=1"
},
{
"name": "42948",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/42948"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://issues.apache.org/jira/browse/DERBY-4483"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://blogs.sun.com/kah/entry/derby_10_6_1_has"
},
{
"name": "ADV-2011-0149",
"tags": [
"vdb-entry",
"x_refsource_VUPEN",
"x_transferred"
],
"url": "http://www.vupen.com/english/advisories/2011/0149"
},
{
"name": "42970",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/42970"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://marcellmajor.com/derbyhash.html"
},
{
"name": "1024977",
"tags": [
"vdb-entry",
"x_refsource_SECTRACK",
"x_transferred"
],
"url": "http://www.securitytracker.com/id?1024977"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://db.apache.org/derby/releases/release-10.6.1.0.cgi#Fix+for+Security+Bug+CVE-2009-4269"
},
{
"name": "42637",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/42637"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://www.oracle.com/technetwork/topics/security/cpujan2011-194091.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2010-05-19T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "The password hash generation algorithm in the BUILTIN authentication functionality for Apache Derby before 10.6.1.0 performs a transformation that reduces the size of the set of inputs to SHA-1, which produces a small search space that makes it easier for local and possibly remote attackers to crack passwords by generating hash collisions, related to password substitution."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2011-01-22T10:00:00",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"name": "[apache-db-general] 20100519 [ANNOUNCE] Apache Derby 10.6.1.0 released",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://marc.info/?l=apache-db-general\u0026m=127428514905504\u0026w=1"
},
{
"name": "42948",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/42948"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://issues.apache.org/jira/browse/DERBY-4483"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://blogs.sun.com/kah/entry/derby_10_6_1_has"
},
{
"name": "ADV-2011-0149",
"tags": [
"vdb-entry",
"x_refsource_VUPEN"
],
"url": "http://www.vupen.com/english/advisories/2011/0149"
},
{
"name": "42970",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/42970"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://marcellmajor.com/derbyhash.html"
},
{
"name": "1024977",
"tags": [
"vdb-entry",
"x_refsource_SECTRACK"
],
"url": "http://www.securitytracker.com/id?1024977"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://db.apache.org/derby/releases/release-10.6.1.0.cgi#Fix+for+Security+Bug+CVE-2009-4269"
},
{
"name": "42637",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/42637"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://www.oracle.com/technetwork/topics/security/cpujan2011-194091.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2009-4269",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The password hash generation algorithm in the BUILTIN authentication functionality for Apache Derby before 10.6.1.0 performs a transformation that reduces the size of the set of inputs to SHA-1, which produces a small search space that makes it easier for local and possibly remote attackers to crack passwords by generating hash collisions, related to password substitution."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "[apache-db-general] 20100519 [ANNOUNCE] Apache Derby 10.6.1.0 released",
"refsource": "MLIST",
"url": "http://marc.info/?l=apache-db-general\u0026m=127428514905504\u0026w=1"
},
{
"name": "42948",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/42948"
},
{
"name": "https://issues.apache.org/jira/browse/DERBY-4483",
"refsource": "CONFIRM",
"url": "https://issues.apache.org/jira/browse/DERBY-4483"
},
{
"name": "http://blogs.sun.com/kah/entry/derby_10_6_1_has",
"refsource": "MISC",
"url": "http://blogs.sun.com/kah/entry/derby_10_6_1_has"
},
{
"name": "ADV-2011-0149",
"refsource": "VUPEN",
"url": "http://www.vupen.com/english/advisories/2011/0149"
},
{
"name": "42970",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/42970"
},
{
"name": "http://marcellmajor.com/derbyhash.html",
"refsource": "MISC",
"url": "http://marcellmajor.com/derbyhash.html"
},
{
"name": "1024977",
"refsource": "SECTRACK",
"url": "http://www.securitytracker.com/id?1024977"
},
{
"name": "http://db.apache.org/derby/releases/release-10.6.1.0.cgi#Fix+for+Security+Bug+CVE-2009-4269",
"refsource": "CONFIRM",
"url": "http://db.apache.org/derby/releases/release-10.6.1.0.cgi#Fix+for+Security+Bug+CVE-2009-4269"
},
{
"name": "42637",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/42637"
},
{
"name": "http://www.oracle.com/technetwork/topics/security/cpujan2011-194091.html",
"refsource": "CONFIRM",
"url": "http://www.oracle.com/technetwork/topics/security/cpujan2011-194091.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2009-4269",
"datePublished": "2010-08-16T19:00:00",
"dateReserved": "2009-12-10T00:00:00",
"dateUpdated": "2024-08-07T06:54:10.308Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2018-1313
Vulnerability from cvelistv5
Published
2018-05-07 13:00
Modified
2024-09-16 16:23
Severity ?
EPSS score ?
Summary
In Apache Derby 10.3.1.4 to 10.14.1.0, a specially-crafted network packet can be used to request the Derby Network Server to boot a database whose location and contents are under the user's control. If the Derby Network Server is not running with a Java Security Manager policy file, the attack is successful. If the server is using a policy file, the policy file must permit the database location to be read for the attack to work. The default Derby Network Server policy file distributed with the affected releases includes a permissive policy as the default Network Server policy, which allows the attack to work.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ▼ | Apache Software Foundation | Apache Derby |
Version: 10.3.1.4 to 10.14.1.0 |
|
|
|||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T03:59:39.045Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html"
},
{
"name": "[derby-user] 20180505 [ANNOUNCE] CVE-2018-1313: Apache Derby externally-controlled input vulnerability",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://markmail.org/message/akkappppxcdqrgxk"
},
{
"name": "104140",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/104140"
},
{
"name": "[drill-dev] 20191017 Dependencies used by Drill contain known vulnerabilities",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442%40%3Cdev.drill.apache.org%3E"
},
{
"name": "[drill-dev] 20191021 [jira] [Created] (DRILL-7416) Updates required to dependencies to resolve potential security vulnerabilities",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f%40%3Cdev.drill.apache.org%3E"
},
{
"name": "[drill-issues] 20191021 [jira] [Created] (DRILL-7416) Updates required to dependencies to resolve potential security vulnerabilities",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc%40%3Cissues.drill.apache.org%3E"
},
{
"name": "[hive-dev] 20211007 [jira] [Created] (HIVE-25597) Bump Apache Derby 10.14.1.0 to 10.14.2.0 CVE-2018-1313",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/re29ab90978e6c997377fb975f674f7514f6beb642bbf79deb45477e5%40%3Cdev.hive.apache.org%3E"
},
{
"name": "[hive-issues] 20211007 [jira] [Assigned] (HIVE-25597) Bump Apache Derby 10.14.1.0 to 10.14.2.0 CVE-2018-1313",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r437d94437e6aef31af689b1e7025d024d676fd1ea9901d74e3e9ae48%40%3Cissues.hive.apache.org%3E"
},
{
"name": "[hive-issues] 20211007 [jira] [Commented] (HIVE-25597) Bump Apache Derby 10.14.1.0 to 10.14.2.0 CVE-2018-1313",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r6755f48d4f5e44e39bba7dbf8d746678239d7f1f2cc108125519ce53%40%3Cissues.hive.apache.org%3E"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache Derby",
"vendor": "Apache Software Foundation",
"versions": [
{
"status": "affected",
"version": "10.3.1.4 to 10.14.1.0"
}
]
}
],
"datePublic": "2018-05-05T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "In Apache Derby 10.3.1.4 to 10.14.1.0, a specially-crafted network packet can be used to request the Derby Network Server to boot a database whose location and contents are under the user\u0027s control. If the Derby Network Server is not running with a Java Security Manager policy file, the attack is successful. If the server is using a policy file, the policy file must permit the database location to be read for the attack to work. The default Derby Network Server policy file distributed with the affected releases includes a permissive policy as the default Network Server policy, which allows the attack to work."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "externally-controlled input vulnerability",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-10-07T08:06:08",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html"
},
{
"name": "[derby-user] 20180505 [ANNOUNCE] CVE-2018-1313: Apache Derby externally-controlled input vulnerability",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://markmail.org/message/akkappppxcdqrgxk"
},
{
"name": "104140",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/104140"
},
{
"name": "[drill-dev] 20191017 Dependencies used by Drill contain known vulnerabilities",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442%40%3Cdev.drill.apache.org%3E"
},
{
"name": "[drill-dev] 20191021 [jira] [Created] (DRILL-7416) Updates required to dependencies to resolve potential security vulnerabilities",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f%40%3Cdev.drill.apache.org%3E"
},
{
"name": "[drill-issues] 20191021 [jira] [Created] (DRILL-7416) Updates required to dependencies to resolve potential security vulnerabilities",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc%40%3Cissues.drill.apache.org%3E"
},
{
"name": "[hive-dev] 20211007 [jira] [Created] (HIVE-25597) Bump Apache Derby 10.14.1.0 to 10.14.2.0 CVE-2018-1313",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/re29ab90978e6c997377fb975f674f7514f6beb642bbf79deb45477e5%40%3Cdev.hive.apache.org%3E"
},
{
"name": "[hive-issues] 20211007 [jira] [Assigned] (HIVE-25597) Bump Apache Derby 10.14.1.0 to 10.14.2.0 CVE-2018-1313",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r437d94437e6aef31af689b1e7025d024d676fd1ea9901d74e3e9ae48%40%3Cissues.hive.apache.org%3E"
},
{
"name": "[hive-issues] 20211007 [jira] [Commented] (HIVE-25597) Bump Apache Derby 10.14.1.0 to 10.14.2.0 CVE-2018-1313",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r6755f48d4f5e44e39bba7dbf8d746678239d7f1f2cc108125519ce53%40%3Cissues.hive.apache.org%3E"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"DATE_PUBLIC": "2018-05-05T00:00:00",
"ID": "CVE-2018-1313",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache Derby",
"version": {
"version_data": [
{
"version_value": "10.3.1.4 to 10.14.1.0"
}
]
}
}
]
},
"vendor_name": "Apache Software Foundation"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In Apache Derby 10.3.1.4 to 10.14.1.0, a specially-crafted network packet can be used to request the Derby Network Server to boot a database whose location and contents are under the user\u0027s control. If the Derby Network Server is not running with a Java Security Manager policy file, the attack is successful. If the server is using a policy file, the policy file must permit the database location to be read for the attack to work. The default Derby Network Server policy file distributed with the affected releases includes a permissive policy as the default Network Server policy, which allows the attack to work."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "externally-controlled input vulnerability"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html",
"refsource": "CONFIRM",
"url": "https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html"
},
{
"name": "[derby-user] 20180505 [ANNOUNCE] CVE-2018-1313: Apache Derby externally-controlled input vulnerability",
"refsource": "MLIST",
"url": "https://markmail.org/message/akkappppxcdqrgxk"
},
{
"name": "104140",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/104140"
},
{
"name": "[drill-dev] 20191017 Dependencies used by Drill contain known vulnerabilities",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442@%3Cdev.drill.apache.org%3E"
},
{
"name": "[drill-dev] 20191021 [jira] [Created] (DRILL-7416) Updates required to dependencies to resolve potential security vulnerabilities",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f@%3Cdev.drill.apache.org%3E"
},
{
"name": "[drill-issues] 20191021 [jira] [Created] (DRILL-7416) Updates required to dependencies to resolve potential security vulnerabilities",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc@%3Cissues.drill.apache.org%3E"
},
{
"name": "[hive-dev] 20211007 [jira] [Created] (HIVE-25597) Bump Apache Derby 10.14.1.0 to 10.14.2.0 CVE-2018-1313",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/re29ab90978e6c997377fb975f674f7514f6beb642bbf79deb45477e5@%3Cdev.hive.apache.org%3E"
},
{
"name": "[hive-issues] 20211007 [jira] [Assigned] (HIVE-25597) Bump Apache Derby 10.14.1.0 to 10.14.2.0 CVE-2018-1313",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r437d94437e6aef31af689b1e7025d024d676fd1ea9901d74e3e9ae48@%3Cissues.hive.apache.org%3E"
},
{
"name": "[hive-issues] 20211007 [jira] [Commented] (HIVE-25597) Bump Apache Derby 10.14.1.0 to 10.14.2.0 CVE-2018-1313",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r6755f48d4f5e44e39bba7dbf8d746678239d7f1f2cc108125519ce53@%3Cissues.hive.apache.org%3E"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2018-1313",
"datePublished": "2018-05-07T13:00:00Z",
"dateReserved": "2017-12-07T00:00:00",
"dateUpdated": "2024-09-16T16:23:24.352Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2006-7216
Vulnerability from cvelistv5
Published
2007-07-05 20:00
Modified
2024-09-16 23:46
Severity ?
EPSS score ?
Summary
Apache Derby before 10.2.1.6 does not determine privilege requirements for lock table statements at compilation time, and consequently does not enforce privilege requirements at execution time, which allows remote authenticated users to lock arbitrary tables.
References
| ▼ | URL | Tags |
|---|---|---|
| http://issues.apache.org/jira/browse/DERBY-1708 | x_refsource_CONFIRM | |
| http://db.apache.org/derby/releases/release-10.2.1.6.html | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-07T20:57:40.734Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://issues.apache.org/jira/browse/DERBY-1708"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://db.apache.org/derby/releases/release-10.2.1.6.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Apache Derby before 10.2.1.6 does not determine privilege requirements for lock table statements at compilation time, and consequently does not enforce privilege requirements at execution time, which allows remote authenticated users to lock arbitrary tables."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2007-07-05T20:00:00Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://issues.apache.org/jira/browse/DERBY-1708"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://db.apache.org/derby/releases/release-10.2.1.6.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2006-7216",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Apache Derby before 10.2.1.6 does not determine privilege requirements for lock table statements at compilation time, and consequently does not enforce privilege requirements at execution time, which allows remote authenticated users to lock arbitrary tables."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://issues.apache.org/jira/browse/DERBY-1708",
"refsource": "CONFIRM",
"url": "http://issues.apache.org/jira/browse/DERBY-1708"
},
{
"name": "http://db.apache.org/derby/releases/release-10.2.1.6.html",
"refsource": "CONFIRM",
"url": "http://db.apache.org/derby/releases/release-10.2.1.6.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2006-7216",
"datePublished": "2007-07-05T20:00:00Z",
"dateReserved": "2007-07-05T00:00:00Z",
"dateUpdated": "2024-09-16T23:46:46.570Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2015-1832
Vulnerability from cvelistv5
Published
2016-10-03 21:00
Modified
2024-08-06 04:54
Severity ?
EPSS score ?
Summary
XML external entity (XXE) vulnerability in the SqlXmlUtil code in Apache Derby before 10.12.1.1, when a Java Security Manager is not in place, allows context-dependent attackers to read arbitrary files or cause a denial of service (resource consumption) via vectors involving XmlVTI and the XML datatype.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T04:54:16.326Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "93132",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/93132"
},
{
"name": "[lucene-solr-user] 20190104 Re: SOLR v7 Security Issues Caused Denial of Use - Sonatype Application Composition Report",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/708d94141126eac03011144a971a6411fcac16d9c248d1d535a39451%40%3Csolr-user.lucene.apache.org%3E"
},
{
"name": "[drill-dev] 20191017 Dependencies used by Drill contain known vulnerabilities",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442%40%3Cdev.drill.apache.org%3E"
},
{
"name": "[drill-dev] 20191021 [jira] [Created] (DRILL-7416) Updates required to dependencies to resolve potential security vulnerabilities",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f%40%3Cdev.drill.apache.org%3E"
},
{
"name": "[drill-issues] 20191021 [jira] [Created] (DRILL-7416) Updates required to dependencies to resolve potential security vulnerabilities",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc%40%3Cissues.drill.apache.org%3E"
},
{
"name": "[lucene-solr-user] 20200320 CVEs (vulnerabilities) that apply to Solr 8.4.1",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r204ba2a9ea750f38d789d2bb429cc0925ad6133deea7cbc3001d96b5%40%3Csolr-user.lucene.apache.org%3E"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpuapr2020.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpuoct2020.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://issues.apache.org/jira/browse/DERBY-6807"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://www-01.ibm.com/support/docview.wss?uid=swg21990100"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://svn.apache.org/viewvc?view=revision\u0026revision=1691461"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2015-05-05T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "XML external entity (XXE) vulnerability in the SqlXmlUtil code in Apache Derby before 10.12.1.1, when a Java Security Manager is not in place, allows context-dependent attackers to read arbitrary files or cause a denial of service (resource consumption) via vectors involving XmlVTI and the XML datatype."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-10-20T21:14:49",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"name": "93132",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/93132"
},
{
"name": "[lucene-solr-user] 20190104 Re: SOLR v7 Security Issues Caused Denial of Use - Sonatype Application Composition Report",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/708d94141126eac03011144a971a6411fcac16d9c248d1d535a39451%40%3Csolr-user.lucene.apache.org%3E"
},
{
"name": "[drill-dev] 20191017 Dependencies used by Drill contain known vulnerabilities",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442%40%3Cdev.drill.apache.org%3E"
},
{
"name": "[drill-dev] 20191021 [jira] [Created] (DRILL-7416) Updates required to dependencies to resolve potential security vulnerabilities",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f%40%3Cdev.drill.apache.org%3E"
},
{
"name": "[drill-issues] 20191021 [jira] [Created] (DRILL-7416) Updates required to dependencies to resolve potential security vulnerabilities",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc%40%3Cissues.drill.apache.org%3E"
},
{
"name": "[lucene-solr-user] 20200320 CVEs (vulnerabilities) that apply to Solr 8.4.1",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r204ba2a9ea750f38d789d2bb429cc0925ad6133deea7cbc3001d96b5%40%3Csolr-user.lucene.apache.org%3E"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/security-alerts/cpuapr2020.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/security-alerts/cpuoct2020.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://issues.apache.org/jira/browse/DERBY-6807"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://www-01.ibm.com/support/docview.wss?uid=swg21990100"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://svn.apache.org/viewvc?view=revision\u0026revision=1691461"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2015-1832",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "XML external entity (XXE) vulnerability in the SqlXmlUtil code in Apache Derby before 10.12.1.1, when a Java Security Manager is not in place, allows context-dependent attackers to read arbitrary files or cause a denial of service (resource consumption) via vectors involving XmlVTI and the XML datatype."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "93132",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/93132"
},
{
"name": "[lucene-solr-user] 20190104 Re: SOLR v7 Security Issues Caused Denial of Use - Sonatype Application Composition Report",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/708d94141126eac03011144a971a6411fcac16d9c248d1d535a39451@%3Csolr-user.lucene.apache.org%3E"
},
{
"name": "[drill-dev] 20191017 Dependencies used by Drill contain known vulnerabilities",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442@%3Cdev.drill.apache.org%3E"
},
{
"name": "[drill-dev] 20191021 [jira] [Created] (DRILL-7416) Updates required to dependencies to resolve potential security vulnerabilities",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f@%3Cdev.drill.apache.org%3E"
},
{
"name": "[drill-issues] 20191021 [jira] [Created] (DRILL-7416) Updates required to dependencies to resolve potential security vulnerabilities",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc@%3Cissues.drill.apache.org%3E"
},
{
"name": "[lucene-solr-user] 20200320 CVEs (vulnerabilities) that apply to Solr 8.4.1",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r204ba2a9ea750f38d789d2bb429cc0925ad6133deea7cbc3001d96b5@%3Csolr-user.lucene.apache.org%3E"
},
{
"name": "https://www.oracle.com/security-alerts/cpuapr2020.html",
"refsource": "MISC",
"url": "https://www.oracle.com/security-alerts/cpuapr2020.html"
},
{
"name": "https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html",
"refsource": "CONFIRM",
"url": "https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html"
},
{
"name": "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html",
"refsource": "MISC",
"url": "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html"
},
{
"name": "https://www.oracle.com/security-alerts/cpuoct2020.html",
"refsource": "MISC",
"url": "https://www.oracle.com/security-alerts/cpuoct2020.html"
},
{
"name": "https://issues.apache.org/jira/browse/DERBY-6807",
"refsource": "CONFIRM",
"url": "https://issues.apache.org/jira/browse/DERBY-6807"
},
{
"name": "http://www-01.ibm.com/support/docview.wss?uid=swg21990100",
"refsource": "CONFIRM",
"url": "http://www-01.ibm.com/support/docview.wss?uid=swg21990100"
},
{
"name": "https://svn.apache.org/viewvc?view=revision\u0026revision=1691461",
"refsource": "CONFIRM",
"url": "https://svn.apache.org/viewvc?view=revision\u0026revision=1691461"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2015-1832",
"datePublished": "2016-10-03T21:00:00",
"dateReserved": "2015-02-17T00:00:00",
"dateUpdated": "2024-08-06T04:54:16.326Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2005-4849
Vulnerability from cvelistv5
Published
2007-07-05 20:00
Modified
2024-09-16 23:56
Severity ?
EPSS score ?
Summary
Apache Derby before 10.1.2.1 exposes the (1) user and (2) password attributes in cleartext via (a) the RDBNAM parameter of the ACCSEC command and (b) the output of the DatabaseMetaData.getURL function, which allows context-dependent attackers to obtain sensitive information.
References
| ▼ | URL | Tags |
|---|---|---|
| http://issues.apache.org/jira/browse/DERBY-559 | x_refsource_CONFIRM | |
| http://issues.apache.org/jira/browse/DERBY-530 | x_refsource_CONFIRM | |
| http://db.apache.org/derby/releases/release-10.1.2.1.html | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-08T00:01:23.523Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://issues.apache.org/jira/browse/DERBY-559"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://issues.apache.org/jira/browse/DERBY-530"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://db.apache.org/derby/releases/release-10.1.2.1.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Apache Derby before 10.1.2.1 exposes the (1) user and (2) password attributes in cleartext via (a) the RDBNAM parameter of the ACCSEC command and (b) the output of the DatabaseMetaData.getURL function, which allows context-dependent attackers to obtain sensitive information."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2007-07-05T20:00:00Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://issues.apache.org/jira/browse/DERBY-559"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://issues.apache.org/jira/browse/DERBY-530"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://db.apache.org/derby/releases/release-10.1.2.1.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2005-4849",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Apache Derby before 10.1.2.1 exposes the (1) user and (2) password attributes in cleartext via (a) the RDBNAM parameter of the ACCSEC command and (b) the output of the DatabaseMetaData.getURL function, which allows context-dependent attackers to obtain sensitive information."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://issues.apache.org/jira/browse/DERBY-559",
"refsource": "CONFIRM",
"url": "http://issues.apache.org/jira/browse/DERBY-559"
},
{
"name": "http://issues.apache.org/jira/browse/DERBY-530",
"refsource": "CONFIRM",
"url": "http://issues.apache.org/jira/browse/DERBY-530"
},
{
"name": "http://db.apache.org/derby/releases/release-10.1.2.1.html",
"refsource": "CONFIRM",
"url": "http://db.apache.org/derby/releases/release-10.1.2.1.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2005-4849",
"datePublished": "2007-07-05T20:00:00Z",
"dateReserved": "2007-07-05T00:00:00Z",
"dateUpdated": "2024-09-16T23:56:48.968Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2010-2232
Vulnerability from cvelistv5
Published
2017-10-23 13:00
Modified
2024-08-07 02:25
Severity ?
EPSS score ?
Summary
In Apache Derby 10.1.2.1, 10.2.2.0, 10.3.1.4, and 10.4.1.3, Export processing may allow an attacker to overwrite an existing file.
References
| ▼ | URL | Tags |
|---|---|---|
| https://issues.apache.org/jira/browse/DERBY-2925 | x_refsource_CONFIRM | |
| http://www.securityfocus.com/bid/101562 | vdb-entry, x_refsource_BID | |
| http://db.apache.org/derby/releases/release-10.6.2.1.html#Note+for+DERBY-2925 | x_refsource_CONFIRM |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ▼ | Apache Software Foundation | Apache Derby |
Version: 10.1.2.1, 10.2.2.0, 10.3.1.4, 10.4.1.3 |
|
|
|||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-07T02:25:07.510Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://issues.apache.org/jira/browse/DERBY-2925"
},
{
"name": "101562",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/101562"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://db.apache.org/derby/releases/release-10.6.2.1.html#Note+for+DERBY-2925"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache Derby",
"vendor": "Apache Software Foundation",
"versions": [
{
"status": "affected",
"version": "10.1.2.1, 10.2.2.0, 10.3.1.4, 10.4.1.3"
}
]
}
],
"datePublic": "2010-06-22T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "In Apache Derby 10.1.2.1, 10.2.2.0, 10.3.1.4, and 10.4.1.3, Export processing may allow an attacker to overwrite an existing file."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-10-26T09:57:01",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://issues.apache.org/jira/browse/DERBY-2925"
},
{
"name": "101562",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/101562"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://db.apache.org/derby/releases/release-10.6.2.1.html#Note+for+DERBY-2925"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"ID": "CVE-2010-2232",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache Derby",
"version": {
"version_data": [
{
"version_value": "10.1.2.1, 10.2.2.0, 10.3.1.4, 10.4.1.3"
}
]
}
}
]
},
"vendor_name": "Apache Software Foundation"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In Apache Derby 10.1.2.1, 10.2.2.0, 10.3.1.4, and 10.4.1.3, Export processing may allow an attacker to overwrite an existing file."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://issues.apache.org/jira/browse/DERBY-2925",
"refsource": "CONFIRM",
"url": "https://issues.apache.org/jira/browse/DERBY-2925"
},
{
"name": "101562",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/101562"
},
{
"name": "http://db.apache.org/derby/releases/release-10.6.2.1.html#Note+for+DERBY-2925",
"refsource": "CONFIRM",
"url": "http://db.apache.org/derby/releases/release-10.6.2.1.html#Note+for+DERBY-2925"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2010-2232",
"datePublished": "2017-10-23T13:00:00",
"dateReserved": "2010-06-09T00:00:00",
"dateUpdated": "2024-08-07T02:25:07.510Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
Vulnerability from fkie_nvd
Published
2007-07-05 20:30
Modified
2024-11-21 00:24
Severity ?
Summary
Apache Derby before 10.2.1.6 does not determine privilege requirements for lock table statements at compilation time, and consequently does not enforce privilege requirements at execution time, which allows remote authenticated users to lock arbitrary tables.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:derby:10.1.1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "909C93D8-EE69-4614-90A4-29289DA6D700",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:derby:10.1.2.1:*:*:*:*:*:*:*",
"matchCriteriaId": "BF090933-1AC8-4B23-94AE-C9AD0F6372B2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:derby:10.1.3.1:*:*:*:*:*:*:*",
"matchCriteriaId": "C06539EB-A87C-47C2-8E13-88D9B1CAD7D8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Apache Derby before 10.2.1.6 does not determine privilege requirements for lock table statements at compilation time, and consequently does not enforce privilege requirements at execution time, which allows remote authenticated users to lock arbitrary tables."
},
{
"lang": "es",
"value": "Apache Derby anterior a 10.2.1.6 no determina los requisitos de privilegios para las sentencias de bloqueo de tabla en tiempo de compilaci\u00f3n, y consecuentemente no fuerza los requisitos de privilegios en tiempo de ejecuci\u00f3n, lo cual permite a usuarios autenticados remotamente bloquear tablas de su elecci\u00f3n."
}
],
"id": "CVE-2006-7216",
"lastModified": "2024-11-21T00:24:39.590",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 4.0,
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:S/C:N/I:N/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2007-07-05T20:30:00.000",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Patch"
],
"url": "http://db.apache.org/derby/releases/release-10.2.1.6.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch"
],
"url": "http://issues.apache.org/jira/browse/DERBY-1708"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "http://db.apache.org/derby/releases/release-10.2.1.6.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "http://issues.apache.org/jira/browse/DERBY-1708"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-Other"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2007-07-05 20:30
Modified
2024-11-21 00:24
Severity ?
Summary
Apache Derby before 10.2.1.6 does not determine schema privilege requirements during the DropSchemaNode bind phase, which allows remote authenticated users to execute arbitrary drop schema statements in SQL authorization mode.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:derby:10.1.1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "909C93D8-EE69-4614-90A4-29289DA6D700",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:derby:10.1.2.1:*:*:*:*:*:*:*",
"matchCriteriaId": "BF090933-1AC8-4B23-94AE-C9AD0F6372B2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:derby:10.1.3.1:*:*:*:*:*:*:*",
"matchCriteriaId": "C06539EB-A87C-47C2-8E13-88D9B1CAD7D8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Apache Derby before 10.2.1.6 does not determine schema privilege requirements during the DropSchemaNode bind phase, which allows remote authenticated users to execute arbitrary drop schema statements in SQL authorization mode."
},
{
"lang": "es",
"value": "Apache Derby anterior a 10.2.1.6 no determina los requerimientos de privilegios de esquema durante la fase DropSchemaNode, lo cual permite a usuarios autenticados remotos ejecutar instrucciones de borrado de esquema en modo de autorizaci\u00f3n SQL."
}
],
"id": "CVE-2006-7217",
"lastModified": "2024-11-21T00:24:39.723",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 4.0,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2007-07-05T20:30:00.000",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Patch"
],
"url": "http://db.apache.org/derby/releases/release-10.2.1.6.html"
},
{
"source": "cve@mitre.org",
"url": "http://issues.apache.org/jira/browse/DERBY-1858"
},
{
"source": "cve@mitre.org",
"url": "http://secunia.com/advisories/28636"
},
{
"source": "cve@mitre.org",
"url": "http://www.novell.com/linux/security/advisories/suse_security_summary_report.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "http://db.apache.org/derby/releases/release-10.2.1.6.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://issues.apache.org/jira/browse/DERBY-1858"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://secunia.com/advisories/28636"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.novell.com/linux/security/advisories/suse_security_summary_report.html"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-Other"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2005-12-31 05:00
Modified
2024-11-21 00:05
Severity ?
Summary
Apache Derby before 10.1.2.1 exposes the (1) user and (2) password attributes in cleartext via (a) the RDBNAM parameter of the ACCSEC command and (b) the output of the DatabaseMetaData.getURL function, which allows context-dependent attackers to obtain sensitive information.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:derby:*:*:*:*:*:*:*:*",
"matchCriteriaId": "CC38C5D7-D8E5-4C7E-A047-65AF50FB3110",
"versionEndIncluding": "10.1.1.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Apache Derby before 10.1.2.1 exposes the (1) user and (2) password attributes in cleartext via (a) the RDBNAM parameter of the ACCSEC command and (b) the output of the DatabaseMetaData.getURL function, which allows context-dependent attackers to obtain sensitive information."
}
],
"id": "CVE-2005-4849",
"lastModified": "2024-11-21T00:05:19.750",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2005-12-31T05:00:00.000",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Patch"
],
"url": "http://db.apache.org/derby/releases/release-10.1.2.1.html"
},
{
"source": "cve@mitre.org",
"url": "http://issues.apache.org/jira/browse/DERBY-530"
},
{
"source": "cve@mitre.org",
"url": "http://issues.apache.org/jira/browse/DERBY-559"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "http://db.apache.org/derby/releases/release-10.1.2.1.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://issues.apache.org/jira/browse/DERBY-530"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://issues.apache.org/jira/browse/DERBY-559"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-200"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2017-10-23 13:29
Modified
2024-11-21 01:16
Severity ?
Summary
In Apache Derby 10.1.2.1, 10.2.2.0, 10.3.1.4, and 10.4.1.3, Export processing may allow an attacker to overwrite an existing file.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security@apache.org | http://db.apache.org/derby/releases/release-10.6.2.1.html#Note+for+DERBY-2925 | Issue Tracking, Patch, Vendor Advisory | |
| security@apache.org | http://www.securityfocus.com/bid/101562 | ||
| security@apache.org | https://issues.apache.org/jira/browse/DERBY-2925 | Patch, Release Notes, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://db.apache.org/derby/releases/release-10.6.2.1.html#Note+for+DERBY-2925 | Issue Tracking, Patch, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.securityfocus.com/bid/101562 | ||
| af854a3a-2127-422b-91ae-364da2661108 | https://issues.apache.org/jira/browse/DERBY-2925 | Patch, Release Notes, Vendor Advisory |
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:derby:10.1.2.1:*:*:*:*:*:*:*",
"matchCriteriaId": "BF090933-1AC8-4B23-94AE-C9AD0F6372B2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:derby:10.2.2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "87FD448A-3CDB-4B4E-8E69-5AAD8E5C1835",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:derby:10.3.1.4:*:*:*:*:*:*:*",
"matchCriteriaId": "DBA7854C-082B-44D0-ABFD-B3E35D0678A0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:derby:10.4.1.3:*:*:*:*:*:*:*",
"matchCriteriaId": "A526BD06-DB2B-4B91-8DBD-10CCF21695D5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In Apache Derby 10.1.2.1, 10.2.2.0, 10.3.1.4, and 10.4.1.3, Export processing may allow an attacker to overwrite an existing file."
},
{
"lang": "es",
"value": "En Apache Derby 10.1.2.1, 10.2.2.0, 10.3.1.4 y 10.4.1.3, el procesamiento de Export puede permitir que un atacante sobrescriba un archivo existente."
}
],
"id": "CVE-2010-2232",
"lastModified": "2024-11-21T01:16:12.223",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.0"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2017-10-23T13:29:00.233",
"references": [
{
"source": "security@apache.org",
"tags": [
"Issue Tracking",
"Patch",
"Vendor Advisory"
],
"url": "http://db.apache.org/derby/releases/release-10.6.2.1.html#Note+for+DERBY-2925"
},
{
"source": "security@apache.org",
"url": "http://www.securityfocus.com/bid/101562"
},
{
"source": "security@apache.org",
"tags": [
"Patch",
"Release Notes",
"Vendor Advisory"
],
"url": "https://issues.apache.org/jira/browse/DERBY-2925"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Patch",
"Vendor Advisory"
],
"url": "http://db.apache.org/derby/releases/release-10.6.2.1.html#Note+for+DERBY-2925"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/bid/101562"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Release Notes",
"Vendor Advisory"
],
"url": "https://issues.apache.org/jira/browse/DERBY-2925"
}
],
"sourceIdentifier": "security@apache.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-284"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2023-11-20 09:15
Modified
2024-11-21 07:30
Severity ?
Summary
A cleverly devised username might bypass LDAP authentication checks. In
LDAP-authenticated Derby installations, this could let an attacker fill
up the disk by creating junk Derby databases. In LDAP-authenticated
Derby installations, this could also allow the attacker to execute
malware which was visible to and executable by the account which booted
the Derby server. In LDAP-protected databases which weren't also
protected by SQL GRANT/REVOKE authorization, this vulnerability could
also let an attacker view and corrupt sensitive data and run sensitive
database functions and procedures.
Mitigation:
Users should upgrade to Java 21 and Derby 10.17.1.0.
Alternatively, users who wish to remain on older Java versions should
build their own Derby distribution from one of the release families to
which the fix was backported: 10.16, 10.15, and 10.14. Those are the
releases which correspond, respectively, with Java LTS versions 17, 11,
and 8.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:derby:*:*:*:*:*:*:*:*",
"matchCriteriaId": "ECA644FF-857A-4B43-BED5-9528613284F4",
"versionEndExcluding": "10.14.3.0",
"versionStartIncluding": "10.1.1.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:derby:*:*:*:*:*:*:*:*",
"matchCriteriaId": "1A4C2868-1FF3-46C7-9C21-DA9C1C8268B4",
"versionEndExcluding": "10.15.2.1",
"versionStartIncluding": "10.15.1.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:derby:10.16.1.1:*:*:*:*:*:*:*",
"matchCriteriaId": "80549185-7AB5-447C-9B9D-59B0E1156758",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A cleverly devised username might bypass LDAP authentication checks. In \nLDAP-authenticated Derby installations, this could let an attacker fill \nup the disk by creating junk Derby databases. In LDAP-authenticated \nDerby installations, this could also allow the attacker to execute \nmalware which was visible to and executable by the account which booted \nthe Derby server. In LDAP-protected databases which weren\u0027t also \nprotected by SQL GRANT/REVOKE authorization, this vulnerability could \nalso let an attacker view and corrupt sensitive data and run sensitive \ndatabase functions and procedures.\n\nMitigation:\n\nUsers should upgrade to Java 21 and Derby 10.17.1.0.\n\nAlternatively, users who wish to remain on older Java versions should \nbuild their own Derby distribution from one of the release families to \nwhich the fix was backported: 10.16, 10.15, and 10.14. Those are the \nreleases which correspond, respectively, with Java LTS versions 17, 11, \nand 8.\n\n"
},
{
"lang": "es",
"value": "Un nombre de usuario inteligentemente dise\u00f1ado podr\u00eda omitir las comprobaciones de autenticaci\u00f3n LDAP. En instalaciones Derby autenticadas por LDAP, esto podr\u00eda permitir que un atacante llene el disco creando bases de datos Derby basura. En instalaciones de Derby autenticadas por LDAP, esto tambi\u00e9n podr\u00eda permitir al atacante ejecutar malware que era visible y ejecutable por la cuenta que arranc\u00f3 el servidor Derby. En bases de datos protegidas por LDAP que tampoco estaban protegidas por la autorizaci\u00f3n SQL GRANT/REVOKE, esta vulnerabilidad tambi\u00e9n podr\u00eda permitir que un atacante vea y corrompa datos confidenciales y ejecute funciones y procedimientos de bases de datos confidenciales. Mitigaci\u00f3n: los usuarios deben actualizar a Java 21 y Derby 10.17.1.0. Alternativamente, los usuarios que deseen permanecer en versiones anteriores de Java deben crear su propia distribuci\u00f3n Derby a partir de una de las familias de versiones a las que se admiti\u00f3 la soluci\u00f3n: 10.16, 10.15 y 10.14. Esas son las versiones que corresponden, respectivamente, a las versiones 17, 11 y 8 de Java LTS."
}
],
"id": "CVE-2022-46337",
"lastModified": "2024-11-21T07:30:24.783",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-11-20T09:15:07.180",
"references": [
{
"source": "security@apache.org",
"tags": [
"Mailing List"
],
"url": "https://lists.apache.org/thread/q23kvvtoohgzwybxpwozmvvk17rp0td3"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List"
],
"url": "https://lists.apache.org/thread/q23kvvtoohgzwybxpwozmvvk17rp0td3"
}
],
"sourceIdentifier": "security@apache.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-74"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2010-08-16 20:00
Modified
2024-11-21 01:09
Severity ?
Summary
The password hash generation algorithm in the BUILTIN authentication functionality for Apache Derby before 10.6.1.0 performs a transformation that reduces the size of the set of inputs to SHA-1, which produces a small search space that makes it easier for local and possibly remote attackers to crack passwords by generating hash collisions, related to password substitution.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:derby:*:*:*:*:*:*:*:*",
"matchCriteriaId": "BA90C098-3409-4D76-997B-46E690C1F10A",
"versionEndIncluding": "10.5.3.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The password hash generation algorithm in the BUILTIN authentication functionality for Apache Derby before 10.6.1.0 performs a transformation that reduces the size of the set of inputs to SHA-1, which produces a small search space that makes it easier for local and possibly remote attackers to crack passwords by generating hash collisions, related to password substitution."
},
{
"lang": "es",
"value": "El algoritmo de generaci\u00f3n del hash de la contrase\u00f1a en la funcionalidad autenticaci\u00f3n BUILTIN de Apache Derby en versiones anteriores a la v10.6.1.0 realiza una transformaci\u00f3n que reduce el tama\u00f1o del conjunto de entrada a SHA-1, lo que produce un espacio de b\u00fasqueda peque\u00f1o que facilita a usuarios locales y, posiblemente, remotos romper contrase\u00f1as generando colisiones de hash, relacionado con la substituci\u00f3n de contrase\u00f1a."
}
],
"evaluatorComment": "Per https://issues.apache.org/jira/browse/DERBY-4483, the reported version affected is 10.5.3.0. Unable to determine if affected versions exist between 10.5.3.0 and 10.6.1.0",
"id": "CVE-2009-4269",
"lastModified": "2024-11-21T01:09:16.980",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "LOW",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "LOCAL",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 2.1,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 3.9,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2010-08-16T20:00:01.183",
"references": [
{
"source": "secalert@redhat.com",
"url": "http://blogs.sun.com/kah/entry/derby_10_6_1_has"
},
{
"source": "secalert@redhat.com",
"url": "http://db.apache.org/derby/releases/release-10.6.1.0.cgi#Fix+for+Security+Bug+CVE-2009-4269"
},
{
"source": "secalert@redhat.com",
"url": "http://marc.info/?l=apache-db-general\u0026m=127428514905504\u0026w=1"
},
{
"source": "secalert@redhat.com",
"url": "http://marcellmajor.com/derbyhash.html"
},
{
"source": "secalert@redhat.com",
"url": "http://secunia.com/advisories/42948"
},
{
"source": "secalert@redhat.com",
"url": "http://secunia.com/advisories/42970"
},
{
"source": "secalert@redhat.com",
"url": "http://www.oracle.com/technetwork/topics/security/cpujan2011-194091.html"
},
{
"source": "secalert@redhat.com",
"url": "http://www.securityfocus.com/bid/42637"
},
{
"source": "secalert@redhat.com",
"url": "http://www.securitytracker.com/id?1024977"
},
{
"source": "secalert@redhat.com",
"url": "http://www.vupen.com/english/advisories/2011/0149"
},
{
"source": "secalert@redhat.com",
"tags": [
"Vendor Advisory"
],
"url": "https://issues.apache.org/jira/browse/DERBY-4483"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://blogs.sun.com/kah/entry/derby_10_6_1_has"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://db.apache.org/derby/releases/release-10.6.1.0.cgi#Fix+for+Security+Bug+CVE-2009-4269"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://marc.info/?l=apache-db-general\u0026m=127428514905504\u0026w=1"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://marcellmajor.com/derbyhash.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://secunia.com/advisories/42948"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://secunia.com/advisories/42970"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.oracle.com/technetwork/topics/security/cpujan2011-194091.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/bid/42637"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securitytracker.com/id?1024977"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.vupen.com/english/advisories/2011/0149"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://issues.apache.org/jira/browse/DERBY-4483"
}
],
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-310"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2016-10-03 21:59
Modified
2024-11-21 02:26
Severity ?
Summary
XML external entity (XXE) vulnerability in the SqlXmlUtil code in Apache Derby before 10.12.1.1, when a Java Security Manager is not in place, allows context-dependent attackers to read arbitrary files or cause a denial of service (resource consumption) via vectors involving XmlVTI and the XML datatype.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| apache | derby | 10.1.1.0 | |
| apache | derby | 10.1.2.1 | |
| apache | derby | 10.1.3.1 | |
| apache | derby | 10.2.1.6 | |
| apache | derby | 10.2.2.0 | |
| apache | derby | 10.3.3.0 | |
| apache | derby | 10.4.1.3 | |
| apache | derby | 10.4.2.0 | |
| apache | derby | 10.5.1.1 | |
| apache | derby | 10.5.3.0 | |
| apache | derby | 10.6.1.0 | |
| apache | derby | 10.6.2.1 | |
| apache | derby | 10.7.1.1 | |
| apache | derby | 10.8.1.2 | |
| apache | derby | 10.8.2.2 | |
| apache | derby | 10.8.3.0 | |
| apache | derby | 10.9.1.0 | |
| apache | derby | 10.10.1.1 | |
| apache | derby | 10.10.2.0 | |
| apache | derby | 10.11.1.1 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:derby:10.1.1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "909C93D8-EE69-4614-90A4-29289DA6D700",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:derby:10.1.2.1:*:*:*:*:*:*:*",
"matchCriteriaId": "BF090933-1AC8-4B23-94AE-C9AD0F6372B2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:derby:10.1.3.1:*:*:*:*:*:*:*",
"matchCriteriaId": "C06539EB-A87C-47C2-8E13-88D9B1CAD7D8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:derby:10.2.1.6:*:*:*:*:*:*:*",
"matchCriteriaId": "D92326AE-AD08-4C8E-879A-9DB3D55DDBA0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:derby:10.2.2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "87FD448A-3CDB-4B4E-8E69-5AAD8E5C1835",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:derby:10.3.3.0:*:*:*:*:*:*:*",
"matchCriteriaId": "537091D0-4EC9-4B74-840B-F2BD0A454FD5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:derby:10.4.1.3:*:*:*:*:*:*:*",
"matchCriteriaId": "A526BD06-DB2B-4B91-8DBD-10CCF21695D5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:derby:10.4.2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "4F7C739B-7AAE-4A93-A58B-077DCC9FA02D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:derby:10.5.1.1:*:*:*:*:*:*:*",
"matchCriteriaId": "2BCE0165-5B7D-41CA-A653-1DDD0DAF4FF1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:derby:10.5.3.0:*:*:*:*:*:*:*",
"matchCriteriaId": "BC3286AB-324C-4FB8-82DE-D1BEAA0CD2F8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:derby:10.6.1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "D3A38765-D8A5-4B62-BE9E-0F9F6BBDE4A9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:derby:10.6.2.1:*:*:*:*:*:*:*",
"matchCriteriaId": "4FF374C8-1123-443A-A3A5-526B79CDE35D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:derby:10.7.1.1:*:*:*:*:*:*:*",
"matchCriteriaId": "8C78CCD5-758D-4BFC-8FC0-92B63CF4E980",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:derby:10.8.1.2:*:*:*:*:*:*:*",
"matchCriteriaId": "7F3F2615-FE0A-4782-BCE0-C1EE3A411DC6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:derby:10.8.2.2:*:*:*:*:*:*:*",
"matchCriteriaId": "2D180DDA-303B-489C-90FF-2A440DBF653C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:derby:10.8.3.0:*:*:*:*:*:*:*",
"matchCriteriaId": "DC195475-CF18-4DE8-A246-E6C25EBA5D0E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:derby:10.9.1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "F24145B3-D16D-4C6B-BC4B-1A67FEF287A1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:derby:10.10.1.1:*:*:*:*:*:*:*",
"matchCriteriaId": "8E466DB3-C3BD-4337-BF59-4387638124B6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:derby:10.10.2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "EE8CFA84-BB59-4201-BAF0-B838B116F5B1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:derby:10.11.1.1:*:*:*:*:*:*:*",
"matchCriteriaId": "2F4E133B-2F54-417B-8BE0-B483AB175A27",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "XML external entity (XXE) vulnerability in the SqlXmlUtil code in Apache Derby before 10.12.1.1, when a Java Security Manager is not in place, allows context-dependent attackers to read arbitrary files or cause a denial of service (resource consumption) via vectors involving XmlVTI and the XML datatype."
},
{
"lang": "es",
"value": "Vulnerabilidad de XXE en el c\u00f3digo SqlXmlUtil en Apache Derby en versiones anteriores a 10.12.1.1, cuando un Java Security Manager no est\u00e1 en su lugar, permite a atacantes depedientes del contexto leer archivos arbitrarios o provocar una denegaci\u00f3n de servicio (consumo de recursos) a trav\u00e9s de vectores que implican XmlVTI y el tipo de datos XML."
}
],
"id": "CVE-2015-1832",
"lastModified": "2024-11-21T02:26:14.010",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.4,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 4.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H",
"version": "3.0"
},
"exploitabilityScore": 3.9,
"impactScore": 5.2,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2016-10-03T21:59:02.533",
"references": [
{
"source": "secalert@redhat.com",
"tags": [
"Third Party Advisory"
],
"url": "http://www-01.ibm.com/support/docview.wss?uid=swg21990100"
},
{
"source": "secalert@redhat.com",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/93132"
},
{
"source": "secalert@redhat.com",
"tags": [
"Issue Tracking"
],
"url": "https://issues.apache.org/jira/browse/DERBY-6807"
},
{
"source": "secalert@redhat.com",
"url": "https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f%40%3Cdev.drill.apache.org%3E"
},
{
"source": "secalert@redhat.com",
"url": "https://lists.apache.org/thread.html/708d94141126eac03011144a971a6411fcac16d9c248d1d535a39451%40%3Csolr-user.lucene.apache.org%3E"
},
{
"source": "secalert@redhat.com",
"url": "https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442%40%3Cdev.drill.apache.org%3E"
},
{
"source": "secalert@redhat.com",
"url": "https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc%40%3Cissues.drill.apache.org%3E"
},
{
"source": "secalert@redhat.com",
"url": "https://lists.apache.org/thread.html/r204ba2a9ea750f38d789d2bb429cc0925ad6133deea7cbc3001d96b5%40%3Csolr-user.lucene.apache.org%3E"
},
{
"source": "secalert@redhat.com",
"tags": [
"Issue Tracking"
],
"url": "https://svn.apache.org/viewvc?view=revision\u0026revision=1691461"
},
{
"source": "secalert@redhat.com",
"url": "https://www.oracle.com/security-alerts/cpuapr2020.html"
},
{
"source": "secalert@redhat.com",
"url": "https://www.oracle.com/security-alerts/cpuoct2020.html"
},
{
"source": "secalert@redhat.com",
"url": "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html"
},
{
"source": "secalert@redhat.com",
"url": "https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "http://www-01.ibm.com/support/docview.wss?uid=swg21990100"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/93132"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking"
],
"url": "https://issues.apache.org/jira/browse/DERBY-6807"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f%40%3Cdev.drill.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/708d94141126eac03011144a971a6411fcac16d9c248d1d535a39451%40%3Csolr-user.lucene.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442%40%3Cdev.drill.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc%40%3Cissues.drill.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/r204ba2a9ea750f38d789d2bb429cc0925ad6133deea7cbc3001d96b5%40%3Csolr-user.lucene.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking"
],
"url": "https://svn.apache.org/viewvc?view=revision\u0026revision=1691461"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://www.oracle.com/security-alerts/cpuapr2020.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://www.oracle.com/security-alerts/cpuoct2020.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html"
}
],
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-399"
},
{
"lang": "en",
"value": "CWE-611"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2018-05-07 13:29
Modified
2024-11-21 03:59
Severity ?
Summary
In Apache Derby 10.3.1.4 to 10.14.1.0, a specially-crafted network packet can be used to request the Derby Network Server to boot a database whose location and contents are under the user's control. If the Derby Network Server is not running with a Java Security Manager policy file, the attack is successful. If the server is using a policy file, the policy file must permit the database location to be read for the attack to work. The default Derby Network Server policy file distributed with the affected releases includes a permissive policy as the default Network Server policy, which allows the attack to work.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| apache | derby | * | |
| oracle | weblogic_server | 12.2.1.3 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:derby:*:*:*:*:*:*:*:*",
"matchCriteriaId": "E77437BA-712B-48F6-90C2-C45CB8C9DEA1",
"versionEndIncluding": "10.14.1.0",
"versionStartIncluding": "10.3.1.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:oracle:weblogic_server:12.2.1.3:*:*:*:*:*:*:*",
"matchCriteriaId": "CBFF04EF-B1C3-4601-878A-35EA6A15EF0C",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In Apache Derby 10.3.1.4 to 10.14.1.0, a specially-crafted network packet can be used to request the Derby Network Server to boot a database whose location and contents are under the user\u0027s control. If the Derby Network Server is not running with a Java Security Manager policy file, the attack is successful. If the server is using a policy file, the policy file must permit the database location to be read for the attack to work. The default Derby Network Server policy file distributed with the affected releases includes a permissive policy as the default Network Server policy, which allows the attack to work."
},
{
"lang": "es",
"value": "En Apache Derby 10.3.1.4 a 10.14.1.0, un paquete de red especialmente manipulado puede emplearse para solicitar que Derby Network Server cargue una base de datos cuya ubicaci\u00f3n y contenido est\u00e1n bajo el control del usuario. Si Derby Network Server no se est\u00e1 ejecutando con un archivo de pol\u00edticas de Java Security Manager, el ataque tendr\u00e1 \u00e9xito. Si el servidor est\u00e1 usando un archivo de pol\u00edticas, este archivo debe permitir que la ubicaci\u00f3n de la base de datos pueda leerse para que el ataque funcione. El archivo de pol\u00edticas de Derby Network Server por defecto distribuido con las versiones afectadas incluye una pol\u00edtica permisiva como la pol\u00edtica por defecto del servidor de red, lo que permite que el ataque funcione."
}
],
"id": "CVE-2018-1313",
"lastModified": "2024-11-21T03:59:36.397",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "LOW",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 6.8,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.6,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2018-05-07T13:29:00.267",
"references": [
{
"source": "security@apache.org",
"tags": [
"Broken Link"
],
"url": "http://www.securityfocus.com/bid/104140"
},
{
"source": "security@apache.org",
"url": "https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f%40%3Cdev.drill.apache.org%3E"
},
{
"source": "security@apache.org",
"url": "https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442%40%3Cdev.drill.apache.org%3E"
},
{
"source": "security@apache.org",
"url": "https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc%40%3Cissues.drill.apache.org%3E"
},
{
"source": "security@apache.org",
"url": "https://lists.apache.org/thread.html/r437d94437e6aef31af689b1e7025d024d676fd1ea9901d74e3e9ae48%40%3Cissues.hive.apache.org%3E"
},
{
"source": "security@apache.org",
"url": "https://lists.apache.org/thread.html/r6755f48d4f5e44e39bba7dbf8d746678239d7f1f2cc108125519ce53%40%3Cissues.hive.apache.org%3E"
},
{
"source": "security@apache.org",
"url": "https://lists.apache.org/thread.html/re29ab90978e6c997377fb975f674f7514f6beb642bbf79deb45477e5%40%3Cdev.hive.apache.org%3E"
},
{
"source": "security@apache.org",
"tags": [
"Mitigation",
"Third Party Advisory"
],
"url": "https://markmail.org/message/akkappppxcdqrgxk"
},
{
"source": "security@apache.org",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Broken Link"
],
"url": "http://www.securityfocus.com/bid/104140"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f%40%3Cdev.drill.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442%40%3Cdev.drill.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc%40%3Cissues.drill.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/r437d94437e6aef31af689b1e7025d024d676fd1ea9901d74e3e9ae48%40%3Cissues.hive.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/r6755f48d4f5e44e39bba7dbf8d746678239d7f1f2cc108125519ce53%40%3Cissues.hive.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/re29ab90978e6c997377fb975f674f7514f6beb642bbf79deb45477e5%40%3Cdev.hive.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mitigation",
"Third Party Advisory"
],
"url": "https://markmail.org/message/akkappppxcdqrgxk"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html"
}
],
"sourceIdentifier": "security@apache.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}