HyperSQL Database (HSQLDB) Remote Code Execution Vulnerability (CVE-2022-41853)

Oct 27, 2022 GMT+08:00

I. Overview

Recently, it has been disclosed that there is an important remote code execution vulnerability (CVE-2022-41853) in the HyperSQL database. By default, HyperSQL SQL statements can invoke any static method from any Java class in the class path. When java.sql.Statement and java.sql.PreparedStatement are used to parse untrusted binary or text data, remote code execution may occur.

HSQLDB is an open-source relational database written in Java. If you are an HSQLDB user, check your HSQLDB version and implement timely security hardening.

Reference:

https://www.code-intelligence.com/blog/potential-remote-code-execution-in-hsqldb

II. Severity

Severity: important

(Severity: low, moderate, important, and critical)

III. Affected Products

Affected versions:

HSQLDB < 2.7.1

Secure versions:

HSQLDB 2.7.1

IV. Vulnerability Handling

This vulnerability has been fixed in version 2.7.1. If your service version is earlier than 2.7.1, upgrade it to version 2.7.1.

http://hsqldb.org/

Note: Before fixing vulnerabilities, back up your files and conduct a thorough test.