Cyber Resilience

CVE-2022-41853

High

Published: 06 October 2022

Published
06 October 2022
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 8.0 CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H
EPSS Score 0.7014 98.7th percentile
Risk Priority 58 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-41853 is a high-severity Unsafe Reflection (CWE-470) vulnerability in Debian Debian Linux. Its CVSS base score is 8.0 (High).

Operationally, ranked in the top 1.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

Those using java.sql.Statement or java.sql.PreparedStatement in hsqldb (HyperSQL DataBase) to process untrusted input may be vulnerable to remote code execution. By default the database allows invocation of any static method on classes in the classpath, enabling arbitrary code execution when attacker-controlled SQL is executed. The flaw is tracked as CVE-2022-41853 with a CVSS 3.1 score of 8.0 and is also associated with CWE-470.

An attacker with the ability to supply input processed through these JDBC interfaces can achieve full remote code execution on the database server. Exploitation requires the attacker to craft SQL that invokes dangerous static methods; the attack is rated as needing high complexity, low privileges, and some user interaction, yet results in complete compromise of confidentiality, integrity, and availability in a scoped context.

The vendor states that the issue is resolved in version 2.7.1, which restricts callable classes to java.lang.Math by default; earlier versions can be hardened by setting the system property hsqldb.method_class_names to an explicit allow-list. Debian has issued updates via DSA-5313 and corresponding LTS advisories that apply the same restrictions or package upgrades.

EPSS for the CVE rose from a low baseline to a peak of 0.7449 (currently 0.7014), indicating measurable post-disclosure exploitation interest that warrants renewed attention from defenders.

EU & UK References

Vulnerability details

Those using java.sql.Statement or java.sql.PreparedStatement in hsqldb (HyperSQL DataBase) to process untrusted input may be vulnerable to a remote code execution attack. By default it is allowed to call any static method of any Java class in the classpath resulting…

more

in code execution. The issue can be prevented by updating to 2.7.1 or by setting the system property "hsqldb.method_class_names" to classes which are allowed to be called. For example, System.setProperty("hsqldb.method_class_names", "abc") or Java argument -Dhsqldb.method_class_names="abc" can be used. From version 2.7.1 all classes by default are not accessible except those in java.lang.Math and need to be manually enabled.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

hsqldb
hypersql database
≤ 2.7.1
debian
debian linux
10.0, 11.0

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-470

Externally controlled class or code selection can be resolved and invoked inside the chamber, surfacing unsafe reflection without system impact.

References