GHSA-XM6R-4466-MR74 OrientDB vulnerable to Improper Privilage Management leading to arbitrary command injection

OrientDB through 2.2.22 does not enforce privilege requirements during "where" or "fetchplan" or "order by" use, which allows remote attackers to execute arbitrary OS commands via a crafted request...

Remote Code Execution (RCE)

OrientDB Core is vulnerable to remote code execution RCE attacks. Permissions are not enforced on a user executing a statement to the ORole structure containing a where, fetchplan or order by statement. By executing a groovy function where the groovy wrapper doesn't have a sandbox, any system...

CVE-2017-11467

OrientDB through 2.2.22 does not enforce privilege requirements during "where" or "fetchplan" or "order by" use, which allows remote attackers to execute arbitrary OS commands via a crafted request...

PT-2017-2829 · Orientdb · Orientdb

Name of the Vulnerable Software and Affected Versions: OrientDB versions prior to 2.2.22 Description: The issue is related to insufficient access control in certain functions, specifically where, fetchplan, and order by. This allows remote attackers to execute arbitrary OS commands via a crafted...