What is CVE-2022-46337?

CVE-2022-46337 is a critical security vulnerability in Apache Derby with LDAP authentication. This flaw allows a cleverly devised username to bypass LDAP authentication, potentially enabling an attacker to create junk databases, execute malware, and access sensitive data and functions. Systems running specific versions of Apache Derby with LDAP authentication are at risk, making it essential to address this vulnerability for secure operations.

Who is impacted by this?

Specifically, the impacted versions are Apache Derby versions from 10.1.1.0 up to, but not including, 10.14.3.0, from 10.15.1.3 up to, but not including, 10.15.2.1, and version 10.16.1.1. If you're using any of these versions, your system could be at risk.

What should I do if I’m affected?

To mitigate the risk, upgrade to Java 21 and Derby 10.17.1.0, or build your own Derby distribution from the release families with the fix backported (10.16, 10.15, and 10.14). This will help protect your system from potential attacks and data breaches.

Is this in CISA’s Known Exploited Vulnerabilities Catalog?

CVE-2022-46337 is not listed in CISA's Known Exploited Vulnerabilities Catalog. Discovered on November 20, 2023, this security issue involves a username bypassing LDAP authentication checks in certain Apache Derby installations. Users should upgrade to Java 21 and Derby 10.17.1.0 or build their own Derby distribution from release families 10.16, 10.15, or 10.14.

Weakness Enumeration

The weakness enumeration for this vulnerability is categorized as CWE-74, which involves improper neutralization of special elements in output used by a downstream component.

Learn More

For a comprehensive understanding of this vulnerability, consult the NVD page for details on its description, severity, technical aspects, and affected software configurations.

• NVD - CVE-2022-46337

• Apache Mail Archives - CVE-2022-46337: Apache Derby: LDAP injection vulnerability in authenticator