FixVibe
Research notecritical

Apache Derby LDAP Injection in Authenticator (CVE-2022-46337)

A critical vulnerability (CVE-2022-46337) exists in Apache Derby versions 10.1.1.0 to 10.1.3.1. The LDAP authenticator fails to properly sanitize user-supplied input, allowing attackers to perform LDAP injection. This can lead to authentication bypass or unauthorized information disclosure from the directory service.

CVE-2022-46337GHSA-rcjc-c4pj-xxrpCWE-74CWE-94

Impact

An attacker can bypass authentication mechanisms or manipulate directory queries by injecting malicious LDAP filters [S2]. This vulnerability is rated critical with a CVSS score of 9.8, as it allows unauthenticated attackers to potentially gain unauthorized access to the database or sensitive directory information [S1].

Root Cause

The root cause is a failure to properly sanitize or escape user-provided credentials before they are incorporated into LDAP search filters within the Apache Derby authentication module [S2]. This affects versions 10.1.1.0 through 10.1.3.1 [S3]. When the database is configured to use LDAP for user authentication, a specially crafted username or password can alter the logic of the LDAP query sent to the backend directory server [S2].

How FixVibe could detect it

FixVibe could detect this vulnerability through its repository scanning capabilities. By analyzing Maven pom.xml files or Gradle build scripts, FixVibe can identify the use of affected versions of org.apache.derby:derby (specifically between 10.1.1.0 and 10.1.3.1) [S2]. Additionally, FixVibe could scan configuration files for properties that enable LDAP authentication to confirm the vulnerable component is actively used in a high-risk configuration [S2].

Fix

Users should upgrade to a supported, non-vulnerable version of Apache Derby [S2]. While the provided sources do not list a specific fixed version within the 10.1.x branch, it is recommended to move to the latest stable release of the 10.x or 11.x series where this legacy issue is resolved [S2]. If an immediate upgrade is not possible, ensure that input validation is performed at the application layer before passing credentials to the database [S2].

Apache Derby LDAP Injection in Authenticator (CVE-2022-46337) β€” FixVibe research Β· FixVibe