Strix
26.1K

CVE-2018-1313

MEDIUMCVSS 5.3/10EPSS 4.50%

Last modified

CVE-2018-1313 is a medium-severity vulnerability rated 5.3/10 on the CVSS scale. In Apache Derby 10.3.1.4 to 10.14.1.0, a specially-crafted network packet can be used to request the Derby Network Server to boot a database whose location and contents are under the user's control. If the Derby Network Server is not running with a Java Security Manager policy file, the attack is successful. EPSS estimates a 4.50% chance of exploitation in the next 30 days.

Description

In Apache Derby 10.3.1.4 to 10.14.1.0, a specially-crafted network packet can be used to request the Derby Network Server to boot a database whose location and contents are under the user's control. If the Derby Network Server is not running with a Java Security Manager policy file, the attack is successful. If the server is using a policy file, the policy file must permit the database location to be read for the attack to work. The default Derby Network Server policy file distributed with the affected releases includes a permissive policy as the default Network Server policy, which allows the attack to work.

Metrics

CVSS 3.1
5.3/10

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N

EPSS Probability
4.50%

90.3th percentile

Probability of exploitation in the next 30 days. Learn more

Affected Software

VendorProductVersions
ApacheDerby>= 10.3.1.4, <= 10.14.1.0
OracleWeblogic Server12.2.1.3

References

Timeline

Published
Last Modified
Status
Modified

Frequently Asked Questions

What is CVE-2018-1313?
In Apache Derby 10.3.1.4 to 10.14.1.0, a specially-crafted network packet can be used to request the Derby Network Server to boot a database whose location and contents are under the user's control. If the Derby Network Server is not running with a Java Security Manager policy file, the attack is successful. If the server is using a policy file, the policy file must permit the database location to be read for the attack to work. The default Derby Network Server policy file distributed with the affected releases includes a permissive policy as the default Network Server policy, which allows the attack to work.
How severe is CVE-2018-1313?
CVE-2018-1313 has a CVSS score of 5.3/10 (MEDIUM severity). The EPSS model estimates a 4.50% probability of exploitation in the next 30 days.
How do I fix CVE-2018-1313?
Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2018-1313?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST