[CodeThreat] Update org.hsqldb:hsqldb from 2.5.2 to 2.7.1 #3

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Open

sust4in wants to merge 1 commit into master from CodeThreat-update-BbY1rIy_6C72xtowL7fcX

Owner

sust4in commented Jul 23, 2024

This PR was generated by CodeThreat utilizing authenticated user credentials.

Issue Description

Those using java.sql.Statement or java.sql.PreparedStatement in hsqldb (HyperSQL DataBase) to process untrusted input may be vulnerable to a remote code execution attack. By default it is allowed to call any static method of any Java class in the classpath resulting in code execution. The issue can be prevented by updating to 2.7.1 or by setting the system property "hsqldb.method_class_names" to classes which are allowed to be called. For example, System.setProperty("hsqldb.method_class_names", "abc") or Java argument -Dhsqldb.method_class_names="abc" can be used. From version 2.7.1 all classes by default are not accessible except those in java.lang.Math and need to be manually enabled.

Changes included in this PR

Modifications to the following files to address the vulnerabilities with updated dependencies:
- pom.xml

Security Issues Addressed

Through Dependency Upgrades:

Issue	Upgrade	Severity
hsqldb: Untrusted input may lead to RCE attack	org.hsqldb:hsqldb: 2.5.2 -> 2.7.1	CRITICAL

Review the modifications in this PR to confirm they do not introduce any issues to your project.


          Update org.hsqldb:hsqldb from 2.5.2 to 2.7.1

f1fb10c

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet