Candidate: CVE-2018-1313
PublicDate: 2018-05-07 13:29:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1313
 http://www.openwall.com/lists/oss-security/2018/05/05/1
 https://markmail.org/message/akkappppxcdqrgxk
Description:
 In Apache Derby 10.3.1.4 to 10.14.1.0, a specially-crafted network packet
 can be used to request the Derby Network Server to boot a database whose
 location and contents are under the user's control. If the Derby Network
 Server is not running with a Java Security Manager policy file, the attack
 is successful. If the server is using a policy file, the policy file must
 permit the database location to be read for the attack to work. The default
 Derby Network Server policy file distributed with the affected releases
 includes a permissive policy as the default Network Server policy, which
 allows the attack to work.
Ubuntu-Description:
Notes:
Bugs:
Priority: medium
Discovered-by:
Assigned-to:
CVSS:
 nvd: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N [5.3 MEDIUM]
 nvd: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N [5.3 MEDIUM]


Patches_derby:
upstream_derby: needs-triage
precise/esm_derby: DNE
trusty_derby: ignored (reached end-of-life)
trusty/esm_derby: DNE (trusty was needs-triage)
xenial_derby: ignored (end of standard support, was needs-triage)
artful_derby: ignored (reached end-of-life)
bionic_derby: needs-triage
cosmic_derby: ignored (reached end-of-life)
disco_derby: not-affected (10.14.2.0-1)
eoan_derby: not-affected (10.14.2.0-1)
focal_derby: not-affected (10.14.2.0-1)
groovy_derby: not-affected (10.14.2.0-1)
hirsute_derby: not-affected (10.14.2.0-1)
impish_derby: not-affected (10.14.2.0-1)
jammy_derby: not-affected (10.14.2.0-1)
devel_derby: not-affected (10.14.2.0-1)