Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS00NWh4LXdmaGotNDczeM0kjA
Arbitrary code execution in H2 Console
H2 Console before 2.1.210 allows remote attackers to execute arbitrary code via a jdbc:h2:mem JDBC URL containing the IGNORE_UNKNOWN_SETTINGS=TRUE;FORBID_CREATION=FALSE;INIT=RUNSCRIPT substring, a different vulnerability than CVE-2021-42392.
Permalink: https://github.com/advisories/GHSA-45hx-wfhj-473xJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS00NWh4LXdmaGotNDczeM0kjA
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Critical
Classification: General
Published: over 2 years ago
Updated: 9 months ago
CVSS Score: 9.8
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Identifiers: GHSA-45hx-wfhj-473x, CVE-2022-23221
References:
- https://nvd.nist.gov/vuln/detail/CVE-2022-23221
- https://github.com/h2database/h2database/releases/tag/version-2.1.210
- https://github.com/h2database/h2database/security/advisories
- https://twitter.com/d0nkey_man/status/1483824727936450564
- http://packetstormsecurity.com/files/165676/H2-Database-Console-Remote-Code-Execution.html
- http://seclists.org/fulldisclosure/2022/Jan/39
- https://lists.debian.org/debian-lts-announce/2022/02/msg00017.html
- https://www.debian.org/security/2022/dsa-5076
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://www.oracle.com/security-alerts/cpujul2022.html
- https://security.netapp.com/advisory/ntap-20230818-0011/
- https://github.com/advisories/GHSA-45hx-wfhj-473x
Blast Radius: 53.2
Affected Packages
maven:com.h2database:h2
Dependent packages: 7,790Dependent repositories: 266,808
Downloads:
Affected Version Ranges: < 2.1.210
Fixed in: 2.1.210
All affected versions: 1.0.57, 1.0.58, 1.0.59, 1.0.60, 1.0.61, 1.0.62, 1.0.63, 1.0.64, 1.0.65, 1.0.66, 1.0.67, 1.0.68, 1.0.69, 1.0.70, 1.0.71, 1.0.72, 1.0.73, 1.0.74, 1.0.75, 1.0.76, 1.0.77, 1.0.78, 1.0.79, 1.0.20061217, 1.0.20070304, 1.0.20070429, 1.0.20070617, 1.1.100, 1.1.101, 1.1.102, 1.1.103, 1.1.104, 1.1.105, 1.1.106, 1.1.107, 1.1.108, 1.1.109, 1.1.110, 1.1.111, 1.1.112, 1.1.113, 1.1.114, 1.1.115, 1.1.116, 1.1.117, 1.1.118, 1.1.119, 1.2.120, 1.2.121, 1.2.122, 1.2.123, 1.2.124, 1.2.125, 1.2.126, 1.2.127, 1.2.128, 1.2.129, 1.2.130, 1.2.131, 1.2.132, 1.2.133, 1.2.134, 1.2.135, 1.2.136, 1.2.137, 1.2.138, 1.2.139, 1.2.140, 1.2.141, 1.2.142, 1.2.143, 1.2.144, 1.2.145, 1.2.147, 1.3.146, 1.3.148, 1.3.149, 1.3.150, 1.3.151, 1.3.152, 1.3.153, 1.3.154, 1.3.155, 1.3.156, 1.3.157, 1.3.158, 1.3.159, 1.3.160, 1.3.161, 1.3.162, 1.3.163, 1.3.164, 1.3.165, 1.3.166, 1.3.167, 1.3.168, 1.3.169, 1.3.170, 1.3.171, 1.3.172, 1.3.173, 1.3.174, 1.3.175, 1.3.176, 1.4.177, 1.4.178, 1.4.179, 1.4.180, 1.4.181, 1.4.182, 1.4.183, 1.4.184, 1.4.185, 1.4.186, 1.4.187, 1.4.188, 1.4.189, 1.4.190, 1.4.191, 1.4.192, 1.4.193, 1.4.194, 1.4.195, 1.4.196, 1.4.197, 1.4.198, 1.4.199, 1.4.200, 2.0.202, 2.0.204, 2.0.206
All unaffected versions: 2.1.210, 2.1.212, 2.1.214, 2.2.220, 2.2.222, 2.2.224