ID CVE-2003-0845 Type cve Reporter NVD Modified 2017-10-10T21:29:15
Description
Unknown vulnerability in the HSQLDB component in JBoss 3.2.1 and 3.0.8 on Java 1.4.x platforms, when running in the default configuration, allows remote attackers to conduct unauthorized activities and possibly execute arbitrary code via certain SQL statements to (1) TCP port 1701 in JBoss 3.2.1, and (2) port 1476 in JBoss 3.0.8.
{"id": "CVE-2003-0845", "bulletinFamily": "NVD", "title": "CVE-2003-0845", "description": "Unknown vulnerability in the HSQLDB component in JBoss 3.2.1 and 3.0.8 on Java 1.4.x platforms, when running in the default configuration, allows remote attackers to conduct unauthorized activities and possibly execute arbitrary code via certain SQL statements to (1) TCP port 1701 in JBoss 3.2.1, and (2) port 1476 in JBoss 3.0.8.", "published": "2003-11-17T00:00:00", "modified": "2017-10-10T21:29:15", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2003-0845", "reporter": "NVD", "references": ["http://marc.info/?l=bugtraq&m=106547728803252&w=2", "http://sourceforge.net/docman/display_doc.php?docid=19314&group_id=22866", "http://marc.info/?l=bugtraq&m=106546044416498&w=2", "http://www.redhat.com/support/errata/RHSA-2007-1048.html", "http://www.securityfocus.com/bid/8773"], "cvelist": ["CVE-2003-0845"], "type": "cve", "lastseen": "2017-10-11T11:05:50", "history": [{"bulletin": {"assessment": {"href": "http://oval.mitre.org/repository/data/getDef?id=oval:org.mitre.oval:def:11300", "name": "oval:org.mitre.oval:def:11300", "system": "http://oval.mitre.org/XMLSchema/oval-definitions-5"}, "bulletinFamily": "NVD", "cpe": [], "cvelist": ["CVE-2003-0845"], "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "description": "Unknown vulnerability in the HSQLDB component in JBoss 3.2.1 and 3.0.8 on Java 1.4.x platforms, when running in the default configuration, allows remote attackers to conduct unauthorized activities and possibly execute arbitrary code via certain SQL statements to (1) TCP port 1701 in JBoss 3.2.1, and (2) port 1476 in JBoss 3.0.8.", "edition": 1, "hash": "7c8db40a4fe7cbf2a522851f62f0115efe0a513893dd4090e6071144e0bb1048", "hashmap": [{"hash": "2f74ef87709ac6327d65a5997fa52f7a", "key": "scanner"}, {"hash": "601892ece72be3be2f57266ca2354792", "key": "reporter"}, {"hash": "d326052586e6532c48388f0cbf399ba8", "key": "description"}, {"hash": "aae7446cae05b9c802205f8010489196", "key": "href"}, {"hash": "56765472680401499c79732468ba4340", "key": "objectVersion"}, {"hash": "e5d275b3ebd62646b78320753699e02e", "key": "cvss"}, {"hash": "95457f251420371e396d029e2ea0a193", "key": "cvelist"}, {"hash": "cd29023ac46db32a99410df27a064426", "key": "title"}, {"hash": "af2bff9b5b712fe689b9e0c8cfbd4acb", "key": "assessment"}, {"hash": "17257e7fdb107c6c79b196be141f82af", "key": "references"}, {"hash": "1716b5fcbb7121af74efdc153d0166c5", "key": "type"}, {"hash": "601892ece72be3be2f57266ca2354792", "key": "bulletinFamily"}, {"hash": "97a4e195afe5bd682d310edca10810ac", "key": "published"}, {"hash": "3c7f7f574d81b65970a0ba17e9ad2d18", "key": "modified"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cpe"}], "history": [], "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2003-0845", "id": "CVE-2003-0845", "lastseen": "2016-09-03T04:04:59", "modified": "2010-08-21T00:16:48", "objectVersion": "1.2", "published": "2003-11-17T00:00:00", "references": ["http://marc.theaimsgroup.com/?l=bugtraq&m=106546044416498&w=2", "http://sourceforge.net/docman/display_doc.php?docid=19314&group_id=22866", "http://marc.theaimsgroup.com/?l=bugtraq&m=106547728803252&w=2", "http://www.redhat.com/support/errata/RHSA-2007-1048.html", "http://www.securityfocus.com/bid/8773"], "reporter": "NVD", "scanner": [{"href": "http://oval.mitre.org/repository/data/DownloadDefinition?id=oval:org.mitre.oval:def:11300", "name": "oval:org.mitre.oval:def:11300", "system": "http://oval.mitre.org/XMLSchema/oval-definitions-5"}], "title": "CVE-2003-0845", "type": "cve", "viewCount": 0}, "differentElements": ["references", "modified"], "edition": 1, "lastseen": "2016-09-03T04:04:59"}, {"bulletin": {"assessment": {"href": "http://oval.mitre.org/repository/data/getDef?id=oval:org.mitre.oval:def:11300", "name": "oval:org.mitre.oval:def:11300", "system": "http://oval.mitre.org/XMLSchema/oval-definitions-5"}, "bulletinFamily": "NVD", "cpe": [], "cvelist": ["CVE-2003-0845"], "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "description": "Unknown vulnerability in the HSQLDB component in JBoss 3.2.1 and 3.0.8 on Java 1.4.x platforms, when running in the default configuration, allows remote attackers to conduct unauthorized activities and possibly execute arbitrary code via certain SQL statements to (1) TCP port 1701 in JBoss 3.2.1, and (2) port 1476 in JBoss 3.0.8.", "edition": 2, "enchantments": {}, "hash": "fdcec870b20733328f8557e2191f92155c11ba7a6ff8a922ad63712dc0ed4731", "hashmap": [{"hash": "2f74ef87709ac6327d65a5997fa52f7a", "key": "scanner"}, {"hash": "601892ece72be3be2f57266ca2354792", "key": "reporter"}, {"hash": "d326052586e6532c48388f0cbf399ba8", "key": "description"}, {"hash": "aae7446cae05b9c802205f8010489196", "key": "href"}, {"hash": "e5d275b3ebd62646b78320753699e02e", "key": "cvss"}, {"hash": "95457f251420371e396d029e2ea0a193", "key": "cvelist"}, {"hash": "cd29023ac46db32a99410df27a064426", "key": "title"}, {"hash": "af2bff9b5b712fe689b9e0c8cfbd4acb", "key": "assessment"}, {"hash": "1716b5fcbb7121af74efdc153d0166c5", "key": "type"}, {"hash": "60480c0b87a88565190aaad6de7e3065", "key": "modified"}, {"hash": "5af752151c910f06ff713f3f8a07fe06", "key": "references"}, {"hash": "601892ece72be3be2f57266ca2354792", "key": "bulletinFamily"}, {"hash": "97a4e195afe5bd682d310edca10810ac", "key": "published"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cpe"}], "history": [], "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2003-0845", "id": "CVE-2003-0845", "lastseen": "2017-04-18T15:50:04", "modified": "2016-10-17T22:37:56", "objectVersion": "1.2", "published": "2003-11-17T00:00:00", "references": ["http://marc.info/?l=bugtraq&m=106547728803252&w=2", "http://sourceforge.net/docman/display_doc.php?docid=19314&group_id=22866", "http://marc.info/?l=bugtraq&m=106546044416498&w=2", "http://www.redhat.com/support/errata/RHSA-2007-1048.html", "http://www.securityfocus.com/bid/8773"], "reporter": "NVD", "scanner": [{"href": "http://oval.mitre.org/repository/data/DownloadDefinition?id=oval:org.mitre.oval:def:11300", "name": "oval:org.mitre.oval:def:11300", "system": "http://oval.mitre.org/XMLSchema/oval-definitions-5"}], "title": "CVE-2003-0845", "type": "cve", "viewCount": 0}, "differentElements": ["assessment", "modified"], "edition": 2, "lastseen": "2017-04-18T15:50:04"}], "edition": 3, "hashmap": [{"key": "assessment", "hash": "50b2cfa1f281991b46876f030ab9733d"}, {"key": "bulletinFamily", "hash": "601892ece72be3be2f57266ca2354792"}, {"key": "cpe", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "cvelist", "hash": "95457f251420371e396d029e2ea0a193"}, {"key": "cvss", "hash": "e5d275b3ebd62646b78320753699e02e"}, {"key": "description", "hash": "d326052586e6532c48388f0cbf399ba8"}, {"key": "href", "hash": "aae7446cae05b9c802205f8010489196"}, {"key": "modified", "hash": "fa59077edbcfe43f65212fc7979716d1"}, {"key": "published", "hash": "97a4e195afe5bd682d310edca10810ac"}, {"key": "references", "hash": "5af752151c910f06ff713f3f8a07fe06"}, {"key": "reporter", "hash": "601892ece72be3be2f57266ca2354792"}, {"key": "scanner", "hash": "2f74ef87709ac6327d65a5997fa52f7a"}, {"key": "title", "hash": "cd29023ac46db32a99410df27a064426"}, {"key": "type", "hash": "1716b5fcbb7121af74efdc153d0166c5"}], "hash": "a926d6c8bed92b58457ca8feef95ddb74635877a0cceb2c8466420d80d78315e", "viewCount": 0, "enchantments": {"vulnersScore": 7.5}, "objectVersion": "1.3", "cpe": [], "assessment": {"href": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11300", "name": "oval:org.mitre.oval:def:11300", "system": "http://oval.mitre.org/XMLSchema/oval-definitions-5"}, "scanner": [{"href": "http://oval.mitre.org/repository/data/DownloadDefinition?id=oval:org.mitre.oval:def:11300", "name": "oval:org.mitre.oval:def:11300", "system": "http://oval.mitre.org/XMLSchema/oval-definitions-5"}]}
{"result": {"exploitdb": [{"id": "EDB-ID:23221", "type": "exploitdb", "title": "JBoss 3.0.8/3.2.1 HSQLDB Remote Command Injection Vulnerability", "description": "JBoss 3.0.8/3.2.1 HSQLDB Remote Command Injection Vulnerability. CVE-2003-0845. Remote exploits for multiple platform", "published": "2003-10-06T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://www.exploit-db.com/exploits/23221/", "cvelist": ["CVE-2003-0845"], "lastseen": "2016-02-02T20:32:30"}], "redhat": [{"id": "RHSA-2007:1048", "type": "redhat", "title": "(RHSA-2007:1048) Moderate: openoffice.org, hsqldb security update", "description": "OpenOffice.org is an office productivity suite.\r\nHSQLDB is a Java relational database engine used by OpenOffice.org Base.\r\n\r\nIt was discovered that HSQLDB could allow the execution of arbitrary public\r\nstatic Java methods. A carefully crafted odb file opened in OpenOffice.org\r\nBase could execute arbitrary commands with the permissions of the user\r\nrunning OpenOffice.org. (CVE-2007-4575)\r\n\r\nIt was discovered that HSQLDB did not have a password set on the 'sa' user.\r\n If HSQLDB has been configured as a service, a remote attacker who could\r\nconnect to the HSQLDB port (tcp 9001) could execute arbitrary SQL commands.\r\n(CVE-2003-0845)\r\n\r\nNote that in Red Hat Enterprise Linux 5, HSQLDB is not enabled as a service\r\nby default, and needs manual configuration in order to work as a service.\r\n\r\nUsers of OpenOffice.org or HSQLDB should update to these errata packages\r\nwhich contain backported patches to correct these issues.", "published": "2007-12-05T05:00:00", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://access.redhat.com/errata/RHSA-2007:1048", "cvelist": ["CVE-2003-0845", "CVE-2007-4575"], "lastseen": "2017-09-09T07:20:38"}], "nessus": [{"id": "CENTOS_RHSA-2007-1048.NASL", "type": "nessus", "title": "CentOS 5 : openoffice.org / hsqldb (CESA-2007:1048)", "description": "The remote CentOS host is missing a security update which has been documented in Red Hat advisory RHSA-2007:1048.", "published": "2010-01-06T00:00:00", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=43661", "cvelist": ["CVE-2003-0845", "CVE-2007-4575"], "lastseen": "2018-06-29T06:11:26"}, {"id": "REDHAT-RHSA-2007-1048.NASL", "type": "nessus", "title": "RHEL 5 : openoffice.org, hsqldb (RHSA-2007:1048)", "description": "Updated openoffice.org and hsqldb packages that fix security flaws are now available for Red Hat Enterprise Linux 5.\n\nThis update has been rated as having moderate security impact by the Red Hat Security Response Team.\n\nOpenOffice.org is an office productivity suite. HSQLDB is a Java relational database engine used by OpenOffice.org Base.\n\nIt was discovered that HSQLDB could allow the execution of arbitrary public static Java methods. A carefully crafted odb file opened in OpenOffice.org Base could execute arbitrary commands with the permissions of the user running OpenOffice.org. (CVE-2007-4575)\n\nIt was discovered that HSQLDB did not have a password set on the 'sa' user. If HSQLDB has been configured as a service, a remote attacker who could connect to the HSQLDB port (tcp 9001) could execute arbitrary SQL commands. (CVE-2003-0845)\n\nNote that in Red Hat Enterprise Linux 5, HSQLDB is not enabled as a service by default, and needs manual configuration in order to work as a service.\n\nUsers of OpenOffice.org or HSQLDB should update to these errata packages which contain backported patches to correct these issues.", "published": "2013-01-24T00:00:00", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=63845", "cvelist": ["CVE-2003-0845", "CVE-2007-4575"], "lastseen": "2017-10-29T13:45:33"}, {"id": "SL_20071205_OPENOFFICE_ORG__HSQLDB_ON_SL5_X.NASL", "type": "nessus", "title": "Scientific Linux Security Update : openoffice.org, hsqldb on SL5.x i386/x86_64", "description": "It was discovered that HSQLDB could allow the execution of arbitrary public static Java methods. A carefully crafted odb file opened in OpenOffice.org Base could execute arbitrary commands with the permissions of the user running OpenOffice.org. (CVE-2007-4575)\n\nIt was discovered that HSQLDB did not have a password set on the 'sa' user. If HSQLDB has been configured as a service, a remote attacker who could connect to the HSQLDB port (tcp 9001) could execute arbitrary SQL commands. (CVE-2003-0845)\n\nNote that in Scientific Linux 5, HSQLDB is not enabled as a service by default, and needs manual configuration in order to work as a service.", "published": "2012-08-01T00:00:00", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=60324", "cvelist": ["CVE-2003-0845", "CVE-2007-4575"], "lastseen": "2017-10-29T13:39:44"}], "osvdb": [{"id": "OSVDB:10094", "type": "osvdb", "title": "JBoss HSQLDB Component TCP Port SQL Injection", "description": "# No description provided by the source\n\n## References:\n[Vendor Specific Advisory URL](http://sourceforge.net/docman/display_doc.php?docid=19314&group_id=22866)\n[Secunia Advisory ID:27914](https://secuniaresearch.flexerasoftware.com/advisories/27914/)\nRedHat RHSA: RHSA-2007:1048\nMail List Post: http://archives.neohapsis.com/archives/bugtraq/2003-10/0074.html\nMail List Post: http://archives.neohapsis.com/archives/bugtraq/2003-10/0087.html\nMail List Post: http://archives.neohapsis.com/archives/fulldisclosure/2005-07/0044.html\nISS X-Force ID: 13357\n[CVE-2003-0845](https://vulners.com/cve/CVE-2003-0845)\n[CVE-2005-2158](https://vulners.com/cve/CVE-2005-2158)\nBugtraq ID: 8773\n", "published": "2003-10-05T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://vulners.com/osvdb/OSVDB:10094", "cvelist": ["CVE-2005-2158", "CVE-2003-0845"], "lastseen": "2017-04-28T13:20:05"}], "centos": [{"id": "CESA-2007:1048", "type": "centos", "title": "hsqldb, openoffice.org security update", "description": "**CentOS Errata and Security Advisory** CESA-2007:1048\n\n\nOpenOffice.org is an office productivity suite.\r\nHSQLDB is a Java relational database engine used by OpenOffice.org Base.\r\n\r\nIt was discovered that HSQLDB could allow the execution of arbitrary public\r\nstatic Java methods. A carefully crafted odb file opened in OpenOffice.org\r\nBase could execute arbitrary commands with the permissions of the user\r\nrunning OpenOffice.org. (CVE-2007-4575)\r\n\r\nIt was discovered that HSQLDB did not have a password set on the 'sa' user.\r\n If HSQLDB has been configured as a service, a remote attacker who could\r\nconnect to the HSQLDB port (tcp 9001) could execute arbitrary SQL commands.\r\n(CVE-2003-0845)\r\n\r\nNote that in Red Hat Enterprise Linux 5, HSQLDB is not enabled as a service\r\nby default, and needs manual configuration in order to work as a service.\r\n\r\nUsers of OpenOffice.org or HSQLDB should update to these errata packages\r\nwhich contain backported patches to correct these issues.\n\n**Merged security bulletin from advisories:**\nhttp://lists.centos.org/pipermail/centos-announce/2008-January/014624.html\nhttp://lists.centos.org/pipermail/centos-announce/2008-January/014625.html\n\n**Affected packages:**\nhsqldb\nhsqldb-demo\nhsqldb-javadoc\nhsqldb-manual\nopenoffice.org\nopenoffice.org-base\nopenoffice.org-calc\nopenoffice.org-core\nopenoffice.org-draw\nopenoffice.org-emailmerge\nopenoffice.org-graphicfilter\nopenoffice.org-impress\nopenoffice.org-javafilter\nopenoffice.org-langpack-af_ZA\nopenoffice.org-langpack-ar\nopenoffice.org-langpack-as_IN\nopenoffice.org-langpack-bg_BG\nopenoffice.org-langpack-bn\nopenoffice.org-langpack-ca_ES\nopenoffice.org-langpack-cs_CZ\nopenoffice.org-langpack-cy_GB\nopenoffice.org-langpack-da_DK\nopenoffice.org-langpack-de\nopenoffice.org-langpack-el_GR\nopenoffice.org-langpack-es\nopenoffice.org-langpack-et_EE\nopenoffice.org-langpack-eu_ES\nopenoffice.org-langpack-fi_FI\nopenoffice.org-langpack-fr\nopenoffice.org-langpack-ga_IE\nopenoffice.org-langpack-gl_ES\nopenoffice.org-langpack-gu_IN\nopenoffice.org-langpack-he_IL\nopenoffice.org-langpack-hi_IN\nopenoffice.org-langpack-hr_HR\nopenoffice.org-langpack-hu_HU\nopenoffice.org-langpack-it\nopenoffice.org-langpack-ja_JP\nopenoffice.org-langpack-kn_IN\nopenoffice.org-langpack-ko_KR\nopenoffice.org-langpack-lt_LT\nopenoffice.org-langpack-ml_IN\nopenoffice.org-langpack-mr_IN\nopenoffice.org-langpack-ms_MY\nopenoffice.org-langpack-nb_NO\nopenoffice.org-langpack-nl\nopenoffice.org-langpack-nn_NO\nopenoffice.org-langpack-nr_ZA\nopenoffice.org-langpack-nso_ZA\nopenoffice.org-langpack-or_IN\nopenoffice.org-langpack-pa_IN\nopenoffice.org-langpack-pl_PL\nopenoffice.org-langpack-pt_BR\nopenoffice.org-langpack-pt_PT\nopenoffice.org-langpack-ru\nopenoffice.org-langpack-sk_SK\nopenoffice.org-langpack-sl_SI\nopenoffice.org-langpack-sr_CS\nopenoffice.org-langpack-ss_ZA\nopenoffice.org-langpack-st_ZA\nopenoffice.org-langpack-sv\nopenoffice.org-langpack-ta_IN\nopenoffice.org-langpack-te_IN\nopenoffice.org-langpack-th_TH\nopenoffice.org-langpack-tn_ZA\nopenoffice.org-langpack-tr_TR\nopenoffice.org-langpack-ts_ZA\nopenoffice.org-langpack-ur\nopenoffice.org-langpack-ve_ZA\nopenoffice.org-langpack-xh_ZA\nopenoffice.org-langpack-zh_CN\nopenoffice.org-langpack-zh_TW\nopenoffice.org-langpack-zu_ZA\nopenoffice.org-math\nopenoffice.org-pyuno\nopenoffice.org-testtools\nopenoffice.org-writer\nopenoffice.org-xsltfilter\n\n**Upstream details at:**\nhttps://rhn.redhat.com/errata/RHSA-2007-1048.html", "published": "2008-01-19T00:14:54", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://lists.centos.org/pipermail/centos-announce/2008-January/014624.html", "cvelist": ["CVE-2003-0845", "CVE-2007-4575"], "lastseen": "2017-10-12T14:47:07"}]}}
