DbVisualizer is written in Java and can thus be exposed to vulnerabilities related to the Java Virtual Machine and the Java ecosystem. Since DbVisualizer is a rich client that runs on a local computer (as opposed to a web-based client) using its own Java VM, attacks that target cloud services or network communication are not a problem in terms of the DbVisualizer application itself, but vulnerabilities in the JDBC drivers that DbVisualizer uses to communicate with the database server can be exposed; this must be verified with the driver vendor. 


Below is a list of specific vulnerabilities that have raised concerns among DbVisualizer users, with an explanation of if and how DbVisualizer is exposed, and what the proper mitigation is.


Apache Commons Text

CVE-2022-42889


DbVisualizer uses "Apache Commons Text" but since no remote code execution or contact with remote servers is invoked, the vulnerability is not affecting DbVisualizer.

Recommended Action: None.


Spring Framework

CVE-2022-22963, CVE-2022-22965


Recommended Action: None.


DbVisualizer does not use the Spring Framework and is hence not exposed. 


Log4J

CVE-2021-44228,  CVE-2021-4104, CVE-2021-44832


Recommended action: None


DbVisualizer 9.2.4 and later
DbVisualizer uses the standard Java logging framework and not Log4j. While there are JDBC drivers that DbVisualizer communicates with that use Log4J, the exploit should not be visible in a DbVisualizer environment since it is not a server application. 

DbVisualizer 9.2.3 and earlier
Older versions of DbVisualizer use log4j 1.2.16 or predecessors.  According to log4j information, applications using Log4j 1.x, are not impacted by CVE-2021-44228 other than when they use JNDI in their configuration. A separate CVE-2021-4104 was filed for this vulnerability. 

DbVisualizer 9.2.3 and earlier does not use JNDI in its configuration. I.e. DbVisualizer is not vulnerable to CVE-2021-4104.


SQLite

CVE-2023-32697


Sqlite-jdbc addresses a remote code execution vulnerability via JDBC URL. If connecting to SQLite database with a malicious JDBC URL arbritary code can be executed. This issue impacting versions 3.6.14.1 through 3.41.2.1 and has been fixed in version 3.41.2.2.


Recommended action: If you are using SQLite, update to SQLite version 3.41.2.2 or later.

Go to Tools / Driver Manager...
Select the SQLite driver.

Right click the row in Driver artifacts with org.xerial:sqlite-jdbc and click Edit Driver Artifacts...

Select veresion 3.41.2.2 or any later version and click OK.