Rick Hillegas created DERBY-6636:
------------------------------------
Summary: The public api of BaseDataFileFactory may allow blackhats
to assume elevated privileges.
Key: DERBY-6636
URL: https://issues.apache.org/jira/browse/DERBY-6636
Project: Derby
Issue Type: Bug
Components: Store
Affects Versions: 10.11.0.0
Reporter: Rick Hillegas
BaseDataFileFactory has a public constructor and a public boot() method.
Arbitrary code running in the JVM may be able to instantiate a
BaseDataFileFactory outside of Derby's authentication mechanisms and so acquire
the ability to read/update Derby-managed data with the privileges granted to
Derby.
This is just an observation based on casual code inspection. It may be that
there are mechanisms in place which frustrate this attack. I have not tried to
exploit this potential vulnerability myself.
--
This message was sent by Atlassian JIRA
(v6.2#6252)
