fix(deps): update dependency org.hsqldb:hsqldb to v2.7.1 [security]#2671
Merged
Conversation
ed58701 to
fb0564d
Compare
Member
|
v2.7.1 and later requires Java 11 |
05bf7e4 to
97c96e6
Compare
97c96e6 to
63dc078
Compare
63dc078 to
cfda382
Compare
cfda382 to
7d313d8
Compare
7d313d8 to
31b144e
Compare
31b144e to
283a9d1
Compare
283a9d1 to
c5299a3
Compare
c5299a3 to
6453961
Compare
6453961 to
1633b81
Compare
1633b81 to
5965172
Compare
5965172 to
89d57ad
Compare
89d57ad to
9c61ba7
Compare
9c61ba7 to
79437fb
Compare
79437fb to
f503114
Compare
bjagg
approved these changes
Apr 23, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
2.5.1→2.7.1Warning
Some dependencies could not be looked up. Check the Dependency Dashboard for more information.
HyperSQL DataBase vulnerable to remote code execution when processing untrusted input
CVE-2022-41853 / GHSA-77xx-rxvh-q682
More information
Details
Those using
java.sql.Statementorjava.sql.PreparedStatementin hsqldb (HyperSQL DataBase) to process untrusted input may be vulnerable to a remote code execution attack. By default it is allowed to call any static method of any Java class in the classpath resulting in code execution. The issue can be prevented by updating to 2.7.1 or by setting the system property "hsqldb.method_class_names" to classes which are allowed to be called. For example,System.setProperty("hsqldb.method_class_names", "abc")or Java argument-Dhsqldb.method_class_names="abc"can be used. From version 2.7.1 all classes by default are not accessible except those injava.lang.Mathand need to be manually enabled.Severity
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Configuration
📅 Schedule: (UTC)
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.