Skip to content

Update dependency org.apache.derby:derby to v10.14.2.0 [SECURITY]#315

Open
renovate[bot] wants to merge 1 commit into
masterfrom
renovate/maven-org.apache.derby-derby-vulnerability
Open

Update dependency org.apache.derby:derby to v10.14.2.0 [SECURITY]#315
renovate[bot] wants to merge 1 commit into
masterfrom
renovate/maven-org.apache.derby-derby-vulnerability

Conversation

@renovate

@renovate renovate Bot commented Sep 27, 2024

Copy link
Copy Markdown

This PR contains the following updates:

Package Change Age Confidence
org.apache.derby:derby (source) 10.11.1.110.14.2.0 age confidence

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.


Improper Access Control in Apache Derby

CVE-2018-1313 / GHSA-42xw-p62x-hwcf

More information

Details

In Apache Derby 10.3.1.4 to 10.14.1.0, a specially-crafted network packet can be used to request the Derby Network Server to boot a database whose location and contents are under the user's control. If the Derby Network Server is not running with a Java Security Manager policy file, the attack is successful. If the server is using a policy file, the policy file must permit the database location to be read for the attack to work. The default Derby Network Server policy file distributed with the affected releases includes a permissive policy as the default Network Server policy, which allows the attack to work.

Severity

  • CVSS Score: 5.3 / 10 (Medium)
  • Vector String: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).


Improper Restriction of XML External Entity Reference in Apace Derby

CVE-2015-1832 / GHSA-wr69-g62g-2r9h

More information

Details

XML external entity (XXE) vulnerability in the SqlXmlUtil code in Apache Derby before 10.12.1.1, when a Java Security Manager is not in place, allows context-dependent attackers to read arbitrary files or cause a denial of service (resource consumption) via vectors involving XmlVTI and the XML datatype.

Severity

  • CVSS Score: 9.1 / 10 (Critical)
  • Vector String: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).


Configuration

📅 Schedule: (UTC)

  • Branch creation
    • At any time (no schedule defined)
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate Bot changed the title Update dependency org.apache.derby:derby to v10.15.1.3 [SECURITY] Update dependency org.apache.derby:derby to v10.14.2.0 [SECURITY] Jul 4, 2026
@renovate renovate Bot force-pushed the renovate/maven-org.apache.derby-derby-vulnerability branch from a175e0c to c106bdf Compare July 4, 2026 03:42
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants