SYSCS_EXPORT_TABLE can be used to overwrite derby files -------------------------------------------------------
Key: DERBY-2437 URL: https://issues.apache.org/jira/browse/DERBY-2437 Project: Derby Issue Type: Bug Components: Security Reporter: Daniel John Debrunner Priority: Critical here are no controls over which files SYSCS_EXPORT_TABLE can write, thus allowing any user that has permission to execute the procedure to try and modufy information that they have no permissions to do. In a similar fashion to the one described in DERBY-2436 I could overwrite derby.properties at least leaqding to a dnial of service attack on the next re-boot. With more time it might be possible to write out a valid properties file which would allow chaning the authentication, silentaly adding a new user etc. -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online.