What is CVE-2022-41853?

CVE-2022-41853 is a high-severity vulnerability in Hypersql Database Hsqldb, classified under Use of Externally-Controlled Input to Select Classes or Code (Unsafe Reflection). CVSS score: 8.0/10. Published 2022-10-06.

How severe is CVE-2022-41853?

High severity. CVSS v3 base score is 8.0 out of 10.

Is CVE-2022-41853 known to be exploited?

9 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.

Vulnerability in Hypersql Database Hsqldb

CVE-2022-41853

Those using java.sql.Statement or java.sql.PreparedStatement in hsqldb (HyperSQL DataBase) to process untrusted input may be vulnerable to a remote code execution attack. By default it is allowed to call any static method of any Java class…

EPSS: 0.701 (98.7th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 8.0 (High). Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H.

Affected products

Hypersql Database Hsqldb — versions unspecified

Weakness classification (CWE)

CWE-470 — Use of Externally-Controlled Input to Select Classes or Code (Unsafe Reflection)

Public proof-of-concept exploits

References

bugs.chromium.org/p/oss-fuzz/issues/detail
hsqldb.org/doc/2.0/guide/sqlroutines-chapt.html
[debian-lts-announce] 20221210 [SECURITY] [DLA 3234-1] hsqldb security update (mailing-list)
DSA-5313 (vendor-advisory)

Frequently asked questions

What is CVE-2022-41853?: CVE-2022-41853 is a high-severity vulnerability in Hypersql Database Hsqldb, classified under Use of Externally-Controlled Input to Select Classes or Code (Unsafe Reflection). CVSS score: 8.0/10. Published 2022-10-06.
How severe is CVE-2022-41853?: High severity. CVSS v3 base score is 8.0 out of 10.
Is CVE-2022-41853 known to be exploited?: 9 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.