Rick Hillegas created DERBY-6631:
------------------------------------
Summary: FileMonitor can be used to elevate an application's
privileges
Key: DERBY-6631
URL: https://issues.apache.org/jira/browse/DERBY-6631
Project: Derby
Issue Type: Bug
Components: Services
Affects Versions: 10.11.0.0
Reporter: Rick Hillegas
Various vulnerabilities in FileMonitor allow applications to perform
security-sensitive operations with the elevated privileges granted to Derby:
getDaemonThread() - The application can call this method in order to create
threads, using Derby's elevated privileges.
getJVMProperty() - The application can call this in order to read system
properties using Derby's elevated privileges.
setThreadPriority() - The application can call this method to change the
priority of a daemon thread it has created. This call will execute with Derby's
elevated privileges.
--
This message was sent by Atlassian JIRA
(v6.2#6252)
