Update dependency org.apache.derby:derby to v10.15.1.3 [SECURITY]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
org.apache.derby:derby (source)	10.11.1.1 → 10.15.1.3

---

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

---

Improper Access Control in Apache Derby

CVE-2018-1313 / GHSA-42xw-p62x-hwcf

More information

Details

In Apache Derby 10.3.1.4 to 10.14.1.0, a specially-crafted network packet can be used to request the Derby Network Server to boot a database whose location and contents are under the user's control. If the Derby Network Server is not running with a Java Security Manager policy file, the attack is successful. If the server is using a policy file, the policy file must permit the database location to be read for the attack to work. The default Derby Network Server policy file distributed with the affected releases includes a permissive policy as the default Network Server policy, which allows the attack to work.

Severity

• CVSS Score: 5.3 / 10 (Medium)
• Vector String: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N

References

• https://nvd.nist.gov/vuln/detail/CVE-2018-1313
• https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f@%3Cdev.drill.apache.org%3E
• https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442@​%3Cdev.drill.apache.org%3E
• https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc@%3Cissues.drill.apache.org%3E
• https://lists.apache.org/thread.html/r437d94437e6aef31af689b1e7025d024d676fd1ea9901d74e3e9ae48@​%3Cissues.hive.apache.org%3E
• https://lists.apache.org/thread.html/r6755f48d4f5e44e39bba7dbf8d746678239d7f1f2cc108125519ce53@​%3Cissues.hive.apache.org%3E
• https://lists.apache.org/thread.html/re29ab90978e6c997377fb975f674f7514f6beb642bbf79deb45477e5@​%3Cdev.hive.apache.org%3E
• https://markmail.org/message/akkappppxcdqrgxk
• https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html
• http://www.securityfocus.com/bid/104140
• https://github.com/advisories/GHSA-42xw-p62x-hwcf

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Improper Restriction of XML External Entity Reference in Apace Derby

CVE-2015-1832 / GHSA-wr69-g62g-2r9h

More information

Details

XML external entity (XXE) vulnerability in the SqlXmlUtil code in Apache Derby before 10.12.1.1, when a Java Security Manager is not in place, allows context-dependent attackers to read arbitrary files or cause a denial of service (resource consumption) via vectors involving XmlVTI and the XML datatype.

Severity

• CVSS Score: 9.1 / 10 (Critical)
• Vector String: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H

References

• https://nvd.nist.gov/vuln/detail/CVE-2015-1832
• https://issues.apache.org/jira/browse/DERBY-6807
• https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f@%3Cdev.drill.apache.org%3E
• https://lists.apache.org/thread.html/708d94141126eac03011144a971a6411fcac16d9c248d1d535a39451@​%3Csolr-user.lucene.apache.org%3E
• https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442@​%3Cdev.drill.apache.org%3E
• https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc@%3Cissues.drill.apache.org%3E
• https://lists.apache.org/thread.html/r204ba2a9ea750f38d789d2bb429cc0925ad6133deea7cbc3001d96b5@​%3Csolr-user.lucene.apache.org%3E
• https://svn.apache.org/viewvc?view=revision&revision=1691461
• https://www.oracle.com/security-alerts/cpuapr2020.html
• https://www.oracle.com/security-alerts/cpuoct2020.html
• https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html
• https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html
• http://www-01.ibm.com/support/docview.wss?uid=swg21990100
• https://github.com/advisories/GHSA-wr69-g62g-2r9h

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Apache Derby: LDAP injection vulnerability in authenticator

CVE-2022-46337 / GHSA-rcjc-c4pj-xxrp

More information

Details

A cleverly devised username might bypass LDAP authentication checks. In LDAP-authenticated Derby installations, this could let an attacker fill up the disk by creating junk Derby databases. In LDAP-authenticated Derby installations, this could also allow the attacker to execute malware which was visible to and executable by the account which booted the Derby server. In LDAP-protected databases which weren't also protected by SQL GRANT/REVOKE authorization, this vulnerability could also let an attacker view and corrupt sensitive data and run sensitive database functions and procedures.

Mitigation:

Users should upgrade to Java 21 and Derby 10.17.1.0.

Alternatively, users who wish to remain on older Java versions should build their own Derby distribution from one of the release families to which the fix was backported: 10.16, 10.15, and 10.14. Those are the releases which correspond, respectively, with Java LTS versions 17, 11, and 8.

Severity

• CVSS Score: 9.8 / 10 (Critical)
• Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References

• https://nvd.nist.gov/vuln/detail/CVE-2022-46337
• https://lists.apache.org/thread/q23kvvtoohgzwybxpwozmvvk17rp0td3
• https://issues.apache.org/jira/browse/DERBY-7147
• https://github.com/advisories/GHSA-rcjc-c4pj-xxrp

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • ""
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.