CVE-2018-1313 in Apache and Oracle Products
Published on May 7, 2018
In Apache Derby 10.3.1.4 to 10.14.1.0, a specially-crafted network packet can be used to request the Derby Network Server to boot a database whose location and contents are under the user's control. If the Derby Network Server is not running with a Java Security Manager policy file, the attack is successful. If the server is using a policy file, the policy file must permit the database location to be read for the attack to work. The default Derby Network Server policy file distributed with the affected releases includes a permissive policy as the default Network Server policy, which allows the attack to work.
Products Associated with CVE-2018-1313
stack.watch emails you whenever new vulnerabilities are published in Apache Derby or Oracle Weblogic Server. Just hit a watch button to start following.
Affected Versions
Apache Software Foundation Apache Derby Version 10.3.1.4 to 10.14.1.0 is affected by CVE-2018-1313Exploit Probability
EPSS
0.77%
Percentile
73.93%
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.