Apache Derby: LDAP injection vulnerability in authenticator
CVE-2022-46337

9.8CRITICAL

Key Information:

Vendor: Apache
Status: Apache Derby
Vendor: CVE Published:; 20 November 2023

Summary

A carefully crafted username can exploit a vulnerability in LDAP authentication checks in Apache Derby. This flaw allows an attacker to create excessive Derby databases, potentially exhausting disk space. Furthermore, with proper privileges, the attacker could execute malicious code linked to the Derby server account. If the LDAP-protected database lacks strong SQL authorization controls, it opens pathways for unauthorized access, enabling attackers to view, manipulate sensitive data, and execute critical database functions. To mitigate this risk, it is advised to upgrade to Java 21 and Derby 10.17.1.0 or consider building a custom Derby distribution based on earlier versions with applied fixes.

Affected Version(s)

Apache Derby 10.1.1.0 <= 10.1.3.1

Apache Derby 10.2.1.6 <= 10.2.2.0

Apache Derby 10.3.1.4 <= 10.3.3.0

References

https://lists.apache.org/thread/q23kvvtoohgzwybxpwozmvvk1...

vendor-advisory

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Nov 20, 2023
Vulnerability Reserved
Nov 29, 2022

Credit

This issue was discovered by 4ra1n and Y4tacker, who also proposed the fix.