EUVD-2022-3476

Malicious code in bioql PyPI...

CVE-2024-52279

Improper Input Validation vulnerability in Apache Zeppelin. The fix for JDBC URL validation in CVE-2024-31864 did not account for URL encoded input. This issue affects Apache Zeppelin: from 0.11.1 before 0.12.0. Users are recommended to upgrade to version 0.12.0, which fixes the issue...

CVE-2024-52279

CVE-2024-52279 affects Apache Zeppelin (0.11.1 before 0.12.0). The issue is an improper input validation in the JDBC URL handling that did not account for URL-encoded input, enabling an attack via a malicious JDBC connection string and potentially leading to arbitrary file read. The evidence link...

PT-2025-31783 · Apache · Apache Zeppelin

Name of the Vulnerable Software and Affected Versions: Apache Zeppelin versions 0.11.1 through 0.12.0 Description: An improper input validation issue exists in Apache Zeppelin. The fix for JDBC URL validation did not account for URL encoded input. Recommendations: Upgrade to version 0.12.0...

CVE-2020-2235

A cross-site request forgery CSRF vulnerability in Jenkins Pipeline Maven Integration Plugin 3.8.2 and earlier allows attackers to connect to an attacker-specified JDBC URL using attacker-specified credentials IDs obtained through another method, potentially capturing credentials stored in Jenkin...

CVE-2024-45199

insightsoftware Hive JDBC through 2.6.13 has a remote code execution vulnerability. Attackers can inject malicious parameters into the JDBC URL, triggering JNDI injection during the process when the JDBC Driver uses this URL to connect to the database. This can further lead to remote code executi...

CVE-2022-31764

The Lite UI of Apache ShardingSphere ElasticJob-UI allows an attacker to perform RCE by constructing a special JDBC URL of H2 database. This issue affects Apache ShardingSphere ElasticJob-UI version 3.0.1 and prior versions. This vulnerability has been fixed in ElasticJob-UI 3.0.2. The premise of...

CVE-2022-31764 Apache ShardingSphere ElasticJob-UI allows RCE via event trace data source JDBC

The Lite UI of Apache ShardingSphere ElasticJob-UI allows an attacker to perform RCE by constructing a special JDBC URL of H2 database. This issue affects Apache ShardingSphere ElasticJob-UI version 3.0.1 and prior versions. This vulnerability has been fixed in ElasticJob-UI 3.0.2. The premise of...

CVE-2024-54660

A JNDI injection issue was discovered in Cloudera JDBC Connector for Hive before 2.6.26 and JDBC Connector for Impala before 2.6.35. Attackers can inject malicious parameters into the JDBC URL, triggering JNDI injection during the process when the JDBC Driver uses this URL to connect to the...

CVE-2024-52899

IBM Data Virtualization Manager for z/OS 1.1 and 1.2 could allow an authenticated user to inject malicious JDBC URL parameters and execute code on the server...

CVE-2024-45758

H2O.ai H2O through 3.46.0.4 allows attackers to arbitrarily set the JDBC URL, leading to deserialization attacks, file reads, and command execution. Exploitation can occur when an attacker has access to post to the ImportSQLTable URI with a JSON document containing a connectionurl property with a...

CVE-2024-45758

H2O.ai H2O through 3.46.0.4 allows attackers to arbitrarily set the JDBC URL, leading to deserialization attacks, file reads, and command execution. Exploitation can occur when an attacker has access to post to the ImportSQLTable URI with a JSON document containing a connectionurl property with a...

CVE-2024-45758

CVE-2024-45758 affects H2O.ai H2O (up to and including 3.46.0.4). The issue arises from the ability to arbitrarily set the JDBC URL via the ImportSQLTable POST JSON payload containing a connection_url, which enables deserialization attacks, file reads, and command execution. Root cause relates to...

CVE-2024-45758

H2O.ai H2O through 3.46.0.4 allows attackers to arbitrarily set the JDBC URL, leading to deserialization attacks, file reads, and command execution. Exploitation can occur when an attacker has access to post to the ImportSQLTable URI with a JSON document containing a connectionurl property with a...

GHSA-VPW3-3PRF-3974 Apache Hive Code Injection vulnerability

Improper Control of Generation of Code 'Code Injection' vulnerability in Apache Hive. The vulnerability affects the Hive JDBC driver component and it can potentially lead to arbitrary code execution on the machine/endpoint that the JDBC driver client is running. The malicious user must have...

BIT-POSTGRESQL-JDBC-DRIVER-2022-26520

In pgjdbc before 42.3.3, an attacker who controls the jdbc URL or properties can call java.util.logging.FileHandler to write to arbitrary files through the loggerFile and loggerLevel connection properties. An example situation is that an attacker could create an executable JSP file under a Tomcat...

Arbitrary File Read

OpenRefine is vulnerable to Arbitrary File Read. The vulnerability due to improper jdbc url sanitization, which allows an attacker to set the allowLoadLocalInfile value to true by passing it through the databaseName parameter. This can be exploited to read sensitive internal server files...

OpenRefine Remote Code execution in project import with mysql jdbc url attack

Summary An remote Code exec vulnerability allows any unauthenticated user to exec code on the server. Details Hi,Team, i find openrefine support to import data from database,When use mysql jdbc to connect to database,It is vulnerable to jdbc url attacks,for example,unauthenticated attacker can ge...

GHSA-PQ67-9JF9-HC3C JDBC URL bypassing by allowLoadLocalInfileInPath param

Deserialization of Untrusted Data Vulnerability in Apache Software Foundation Apache InLong.This issue affects Apache InLong: from 1.4.0 through 1.7.0. The attacker could bypass the current logic and achieve arbitrary file reading. To solve it, users are advised to upgrade to Apache InLong's 1.8....

Remote Code Execution (RCE)

sqlite-jdbc is vulnerable to Remote Code Execution RCE. The vulnerability exists because the extractResource function of SQLiteConnection.java does not properly validate the user input URL, which allows an attacker to inject and execute malicious code through the JDBC URL...