CVE-2022-41853: 
Java vulnerability analysis and mitigation

A remote code execution vulnerability (CVE-2022-41853) was discovered in HyperSQL DataBase (HSQLDB) affecting users who process untrusted input using java.sql.Statement or java.sql.PreparedStatement. The vulnerability was disclosed in October 2022 and affects HSQLDB installations where any static method of any Java class in the classpath could be called by default, potentially resulting in code execution (NVD, Debian LTS).

The vulnerability exists in the default configuration of HSQLDB where any static method of any Java class in the classpath can be called when processing SQL statements through java.sql.Statement or java.sql.PreparedStatement interfaces. This unrestricted access to Java methods creates a potential vector for remote code execution when processing untrusted input (Red Hat CVE).

If successfully exploited, this vulnerability allows attackers to execute arbitrary code remotely through untrusted input processing, potentially leading to complete system compromise (Debian Security).

The vulnerability can be mitigated by either updating to patched versions or by setting the system property 'hsqldb.methodclassnames' to explicitly specify which classes are allowed to be called. For example, using System.setProperty('hsqldb.methodclassnames','abc') or the Java argument -Dhsqldb.methodclassnames='abc'. In patched versions, all classes by default are not accessible except those in java.lang.Math and need to be manually enabled (Debian LTS).