You are viewing a plain text version of this content. The canonical link for it is here.
Posted to derby-dev@db.apache.org by "Rick Hillegas (JIRA)" <ji...@apache.org> on 2014/06/20 18:38:25 UTC
[jira] [Created] (DERBY-6631) FileMonitor can be used to elevate an
application's privileges
Rick Hillegas created DERBY-6631:
------------------------------------
Summary: FileMonitor can be used to elevate an application's privileges
Key: DERBY-6631
URL: https://issues.apache.org/jira/browse/DERBY-6631
Project: Derby
Issue Type: Bug
Components: Services
Affects Versions: 10.11.0.0
Reporter: Rick Hillegas
Various vulnerabilities in FileMonitor allow applications to perform security-sensitive operations with the elevated privileges granted to Derby:
getDaemonThread() - The application can call this method in order to create threads, using Derby's elevated privileges.
getJVMProperty() - The application can call this in order to read system properties using Derby's elevated privileges.
setThreadPriority() - The application can call this method to change the priority of a daemon thread it has created. This call will execute with Derby's elevated privileges.
--
This message was sent by Atlassian JIRA
(v6.2#6252)