Description
OrientDB through 2.2.22 does not enforce privilege requirements during "where" or "fetchplan" or "order by" use, which allows remote attackers to execute arbitrary OS commands via a crafted request.
Remediation
References
https://github.com/orientechnologies/orientdb/wiki/OrientDB-2.2-Release-Notes#2223---july-11-2017
http://www.heavensec.org/?p=1703
Related Vulnerabilities
CVE-2016-10637 Vulnerability in npm package haxe-dev
CVE-2019-1003059 Vulnerability in maven package org.jvnet.hudson.plugins:ftppublisher
CVE-2020-15362 Vulnerability in npm package wifiscanner
CVE-2020-25711 Vulnerability in maven package org.infinispan:infinispan-server-runtime
CVE-2020-13957 Vulnerability in maven package org.apache.solr:solr-solrj