[MAVEN:GHSA-42XW-P62X-HWCF] Improper Access Control in Apache Derby

Severity Moderate

Affected Packages 1

Fixed Packages 1

CVEs 1

In Apache Derby 10.3.1.4 to 10.14.1.0, a specially-crafted network packet can be used to request the Derby Network Server to boot a database whose location and contents are under the user's control. If the Derby Network Server is not running with a Java Security Manager policy file, the attack is successful. If the server is using a policy file, the policy file must permit the database location to be read for the attack to work. The default Derby Network Server policy file distributed with the affected releases includes a permissive policy as the default Network Server policy, which allows the attack to work.

Package	Affected Version
pkg:maven/org.apache.derby/derby	>= 10.3.1.4, <= 10.14.1.0

Package	Fixed Version
pkg:maven/org.apache.derby/derby	= 10.14.2.0

ID: MAVEN:GHSA-42XW-P62X-HWCF
Severity: moderate
URL: https://github.com/advisories/GHSA-42xw-p62x-hwcf
Published: 2022-05-13T01:02:18
(2 years ago)
Modified: 2023-01-27T05:02:11
(20 months ago)
Rights: Maven Security Team

Source	# ID	Name	URL
			https://nvd.nist.gov/vuln/detail/CVE-2018-1313
			https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f@%3Cdev.drill.apache.org%3E
			https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442@%3Cdev.drill.apache.org%3E
			https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc@%3Cissues.drill.apache.org%3E
			https://lists.apache.org/thread.html/r437d94437e6aef31af689b1e7025d024d676fd1ea9901d74e3e9ae48@%3Cissues.hive.apache.org%3E
			https://lists.apache.org/thread.html/r6755f48d4f5e44e39bba7dbf8d746678239d7f1f2cc108125519ce53@%3Cissues.hive.apache.org%3E
			https://lists.apache.org/thread.html/re29ab90978e6c997377fb975f674f7514f6beb642bbf79deb45477e5@%3Cdev.hive.apache.org%3E
			https://markmail.org/message/akkappppxcdqrgxk
			https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html
			http://www.securityfocus.com/bid/104140
			https://github.com/advisories/GHSA-42xw-p62x-hwcf

Type	Package URL	Namespace	Name / Product	Version	Distribution / Platform	Arch	Patch / Fix
Affected	pkg:maven/org.apache.derby/derby	org.apache.derby	derby	>= 10.3.1.4 <= 10.14.1.0
Fixed	pkg:maven/org.apache.derby/derby	org.apache.derby	derby	= 10.14.2.0

# CVE	Description	CVSS	EPSS	EPSS Trend (30 days)	Affected Products	Weaknesses	Security Advisories	Exploits	PoC	Pubblication Date	Modification Date
# CVE	Description	CVSS	EPSS	EPSS Trend (30 days)	Affected Products	Weaknesses	Security Advisories	PoC	Pubblication Date	Modification Date