CRITICAL🇵🇱 Wersja polska

CVE-2024-30923

CVSS 9.8v3.1pub. 2024-04-18upd. 2025-11-04

SQL Injection vulnerability in DerbyNet v9.0 and below allows a remote attacker to execute arbitrary code via the where Clause in Racer Document Rendering

🤖 AI Analysis
How it works

The vulnerability occurs in the racer document rendering mechanism, where the application does not properly validate input data passed in the WHERE clause of an SQL query. An attacker can craft a malicious network request containing a properly constructed SQL payload that will be executed directly by the database engine. By abusing database mechanisms, it is possible to further execute arbitrary code (RCE) on the vulnerable system.

Impact

An attacker can gain full control over the application's database, and consequently execute arbitrary code on the server, leading to compromise of confidentiality, integrity, and availability of the entire system.

Mitigation & patch

Patches available from the vendor should be applied according to the references. As additional remedial measures, it is recommended to restrict access to the application only to trusted networks and to apply WAF rules blocking SQL Injection attempts.

Who is affected

DerbyNet in version 9.0 and all earlier versions.

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Derbynet

    APP
    Derbynet
    ≤ 9.0
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
RCESQLi
CWE
References

Related vulnerabilities

CVE-2024-30922CRITICAL9.8PL ✓ten sam produkt

SQL Injection w DerbyNet v9.0 — zdalne wykonanie kodu przez klauzulę WHERE

CVE-2024-31818CRITICAL9.8PL ✓ten sam produkt

Path Traversal z RCE w DerbyNet v.9.0 — komponent kiosk.php

CVE-2024-30920HIGH7.4ten sam produkt

Cross Site Scripting vulnerability in DerbyNet v9.0 and below allows a remote attacker to execute arbitrary co...

CVE-2024-30928HIGH8.1ten sam produkt

SQL Injection vulnerability in DerbyNet v9.0 and below allows attackers to execute arbitrary SQL commands via ...

CVE-2024-30929HIGH8.0ten sam produkt

Cross Site Scripting vulnerability in DerbyNet v9.0 and below allows attackers to execute arbitrary code via t...