Describe the bug, including details regarding any error messages, version, and platform.
flight-sql uses org.apache.derby:derby:10.15.2.0 in test scope, which is flagged
as vulnerable to CVE-2022-46337: a critical (CVSS 9.8) LDAP authentication bypass.
There is no fix available for this dependency and there never will be.
The NVD advisory lists 10.15.2.1 as the fix for the Java 11 branch, but that
version was never published to Maven Central. The same is true for 10.14.3.0 and
10.16.1.2. The only fixed release that exists on Maven Central is 10.17.1.0
(Java 21+), which was also the last release ever made.
On 2025-10-10, the Derby PMC voted to retire the project into a read-only state.
Development and bug-fixing have ended and no further releases will be published. This
means the 10.15.x branch will remain vulnerable indefinitely with no upstream
resolution path.
Context on why the patch versions were never released:
- DERBY-7147 — fix committed to branches, but no releases were cut for 10.14/10.15/10.16
- DERBY-7178 — closed as "Not A Problem" by the Derby team
Since Derby is test scope only in flight-sql, there is no runtime exposure.
However, this causes persistent scanner noise for downstream consumers and the
situation will not improve on its own.
Possible paths forward:
- Upgrade to
10.17.1.0 (requires Java 21 as test baseline for flight-sql)
- Replace Derby with another embedded DB (e.g. H2) in
flight-sql tests — likely
the cleanest long-term option given Derby's retirement
Describe the bug, including details regarding any error messages, version, and platform.
flight-sqlusesorg.apache.derby:derby:10.15.2.0in test scope, which is flaggedas vulnerable to CVE-2022-46337: a critical (CVSS 9.8) LDAP authentication bypass.
There is no fix available for this dependency and there never will be.
The NVD advisory lists
10.15.2.1as the fix for the Java 11 branch, but thatversion was never published to Maven Central. The same is true for
10.14.3.0and10.16.1.2. The only fixed release that exists on Maven Central is10.17.1.0(Java 21+), which was also the last release ever made.
On 2025-10-10, the Derby PMC voted to retire the project into a read-only state.
Development and bug-fixing have ended and no further releases will be published. This
means the 10.15.x branch will remain vulnerable indefinitely with no upstream
resolution path.
Context on why the patch versions were never released:
Since Derby is test scope only in
flight-sql, there is no runtime exposure.However, this causes persistent scanner noise for downstream consumers and the
situation will not improve on its own.
Possible paths forward:
10.17.1.0(requires Java 21 as test baseline forflight-sql)flight-sqltests — likelythe cleanest long-term option given Derby's retirement