Remote Code Execution vulnerability - hsqldb

[libbytheoharis]

Summary

The use of org.hsqldb : hsqldb : 2.5.2's java.sql.Statement or java.sql.PreparedStatement can allow remote code execution.

Details

org.hsqldb : hsqldb : 2.5.2

[libbytheoharis]

Locations:

• https://github.com/sonatype-nexus-community/codetocloud-workshop/blob/804de2848357e38548bfb4b882cbbe55bbb539eb/src/main/java/org/owasp/webgoat/lessons/challenges/challenge5/Assignment5.java#L25
• https://github.com/sonatype-nexus-community/codetocloud-workshop/blob/804de2848357e38548bfb4b882cbbe55bbb539eb/src/main/java/org/owasp/webgoat/lessons/sqlinjection/mitigation/SqlInjectionLesson13.java#L26

[samschurter]

Thanks for catching this! Can you provide details on the vulnerability such as which versions are vulnerable and recommendations to fix?