CVE-2022-41853

HIGH

HSQLDB <2.7.1 - Remote Code Execution via Untrusted SQL Method Calls

Title source: manual

Exploitation Summary

EIP tracks 1 public exploit for CVE-2022-41853. PoCs published by mbadanoiu.

AI-analyzed exploit summary This repository provides a detailed proof-of-concept for CVE-2022-41853, demonstrating RCE in HSQLDB via Java deserialization and remote codebase attacks. It includes payloads for exploiting the vulnerability in environments where HSQLDB is embedded in applications like Apache SOLR.

Description

Those using java.sql.Statement or java.sql.PreparedStatement in hsqldb (HyperSQL DataBase) to process untrusted input may be vulnerable to a remote code execution attack. By default it is allowed to call any static method of any Java class in the classpath resulting in code execution. The issue can be prevented by updating to 2.7.1 or by setting the system property "hsqldb.method_class_names" to classes which are allowed to be called. For example, System.setProperty("hsqldb.method_class_names", "abc") or Java argument -Dhsqldb.method_class_names="abc" can be used. From version 2.7.1 all classes by default are not accessible except those in java.lang.Math and need to be manually enabled.

Exploits (1)

nomisec WORKING POC 2 stars

by mbadanoiu · poc

https://github.com/mbadanoiu/CVE-2022-41853

View Code ZIP pw:eip

This repository provides a detailed proof-of-concept for CVE-2022-41853, demonstrating RCE in HSQLDB via Java deserialization and remote codebase attacks. It includes payloads for exploiting the vulnerability in environments where HSQLDB is embedded in applications like Apache SOLR.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: HSQLDB (HyperSQL DataBase) versions prior to 2.7.1

No auth needed

Prerequisites: Presence of HSQLDB in the target application · Apache Commons Collections or similar libraries in the classpath for deserialization payloads

MITRE ATT&CK

T1189 - Drive-by Compromise T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (4)

Core 4

Core References

Third Party Advisory

http://hsqldb.org/doc/2.0/guide/sqlroutines-chapt.html#src_jrt_access_control

Mailing List, Third Party Advisory

https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=50212#c7

Mailing List, Third Party Advisory mailing-list

https://lists.debian.org/debian-lts-announce/2022/12/msg00020.html

Third Party Advisory vendor-advisory

https://www.debian.org/security/2023/dsa-5313

Scores

CVSS v3 8.0

EPSS 0.7014

EPSS Percentile 98.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-470

Status published

Products (4)

debian/debian_linux 10.0

debian/debian_linux 11.0

hsqldb/hypersql_database < 2.7.1

org.hsqldb/hsqldb 0 - 2.7.1Maven

Published Oct 06, 2022

Tracked Since Feb 18, 2026