Vulnerability Details CVE-2022-23221
H2 Console before 2.1.210 allows remote attackers to execute arbitrary code via a jdbc:h2:mem JDBC URL containing the IGNORE_UNKNOWN_SETTINGS=TRUE;FORBID_CREATION=FALSE;INIT=RUNSCRIPT substring, a different vulnerability than CVE-2021-42392.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.256
EPSS Ranking 95.9%
CVSS Severity
CVSS v3 Score 9.8
CVSS v2 Score 10.0
References
- http://packetstormsecurity.com/files/165676/H2-Database-Console-Remote-Code-Execution.html
- http://seclists.org/fulldisclosure/2022/Jan/39
- https://github.com/h2database/h2database/releases/tag/version-2.1.210
- https://github.com/h2database/h2database/security/advisories
- https://lists.debian.org/debian-lts-announce/2022/02/msg00017.html
- https://security.netapp.com/advisory/ntap-20230818-0011/
- https://twitter.com/d0nkey_man/status/1483824727936450564
- https://www.debian.org/security/2022/dsa-5076
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://www.oracle.com/security-alerts/cpujul2022.html
- http://packetstormsecurity.com/files/165676/H2-Database-Console-Remote-Code-Execution.html
- http://seclists.org/fulldisclosure/2022/Jan/39
- https://github.com/h2database/h2database/releases/tag/version-2.1.210
- https://github.com/h2database/h2database/security/advisories
- https://lists.debian.org/debian-lts-announce/2022/02/msg00017.html
- https://security.netapp.com/advisory/ntap-20230818-0011/
- https://twitter.com/d0nkey_man/status/1483824727936450564
- https://www.debian.org/security/2022/dsa-5076
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://www.oracle.com/security-alerts/cpujul2022.html
Products affected by CVE-2022-23221
-
cpe:2.3:a:h2database:h2:1.1.101
-
cpe:2.3:a:h2database:h2:1.1.102
-
cpe:2.3:a:h2database:h2:1.1.103
-
cpe:2.3:a:h2database:h2:1.1.104
-
cpe:2.3:a:h2database:h2:1.1.105
-
cpe:2.3:a:h2database:h2:1.1.106
-
cpe:2.3:a:h2database:h2:1.1.107
-
cpe:2.3:a:h2database:h2:1.1.108
-
cpe:2.3:a:h2database:h2:1.1.109
-
cpe:2.3:a:h2database:h2:1.1.110
-
cpe:2.3:a:h2database:h2:1.1.111
-
cpe:2.3:a:h2database:h2:1.1.112
-
cpe:2.3:a:h2database:h2:1.1.113
-
cpe:2.3:a:h2database:h2:1.1.114
-
cpe:2.3:a:h2database:h2:1.1.115
-
cpe:2.3:a:h2database:h2:1.1.116
-
cpe:2.3:a:h2database:h2:1.1.117
-
cpe:2.3:a:h2database:h2:1.1.118
-
cpe:2.3:a:h2database:h2:1.1.119
-
cpe:2.3:a:h2database:h2:1.2.120
-
cpe:2.3:a:h2database:h2:1.2.121
-
cpe:2.3:a:h2database:h2:1.2.122
-
cpe:2.3:a:h2database:h2:1.2.123
-
cpe:2.3:a:h2database:h2:1.2.124
-
cpe:2.3:a:h2database:h2:1.2.125
-
cpe:2.3:a:h2database:h2:1.2.126
-
cpe:2.3:a:h2database:h2:1.2.127
-
cpe:2.3:a:h2database:h2:1.2.128
-
cpe:2.3:a:h2database:h2:1.2.129
-
cpe:2.3:a:h2database:h2:1.2.130
-
cpe:2.3:a:h2database:h2:1.2.131
-
cpe:2.3:a:h2database:h2:1.2.132
-
cpe:2.3:a:h2database:h2:1.2.133
-
cpe:2.3:a:h2database:h2:1.2.134
-
cpe:2.3:a:h2database:h2:1.2.135
-
cpe:2.3:a:h2database:h2:1.2.136
-
cpe:2.3:a:h2database:h2:1.2.137
-
cpe:2.3:a:h2database:h2:1.2.138
-
cpe:2.3:a:h2database:h2:1.2.139
-
cpe:2.3:a:h2database:h2:1.2.140
-
cpe:2.3:a:h2database:h2:1.2.141
-
cpe:2.3:a:h2database:h2:1.2.142
-
cpe:2.3:a:h2database:h2:1.2.143
-
cpe:2.3:a:h2database:h2:1.2.144
-
cpe:2.3:a:h2database:h2:1.2.145
-
cpe:2.3:a:h2database:h2:1.2.147
-
cpe:2.3:a:h2database:h2:1.3.146
-
cpe:2.3:a:h2database:h2:1.3.148
-
cpe:2.3:a:h2database:h2:1.3.149
-
cpe:2.3:a:h2database:h2:1.3.150
-
cpe:2.3:a:h2database:h2:1.3.151
-
cpe:2.3:a:h2database:h2:1.3.152
-
cpe:2.3:a:h2database:h2:1.3.153
-
cpe:2.3:a:h2database:h2:1.3.154
-
cpe:2.3:a:h2database:h2:1.3.155
-
cpe:2.3:a:h2database:h2:1.3.156
-
cpe:2.3:a:h2database:h2:1.3.157
-
cpe:2.3:a:h2database:h2:1.3.158
-
cpe:2.3:a:h2database:h2:1.3.159
-
cpe:2.3:a:h2database:h2:1.3.160
-
cpe:2.3:a:h2database:h2:1.3.161
-
cpe:2.3:a:h2database:h2:1.3.162
-
cpe:2.3:a:h2database:h2:1.3.163
-
cpe:2.3:a:h2database:h2:1.3.164
-
cpe:2.3:a:h2database:h2:1.3.165
-
cpe:2.3:a:h2database:h2:1.3.166
-
cpe:2.3:a:h2database:h2:1.3.167
-
cpe:2.3:a:h2database:h2:1.3.168
-
cpe:2.3:a:h2database:h2:1.3.169
-
cpe:2.3:a:h2database:h2:1.3.170
-
cpe:2.3:a:h2database:h2:1.3.171
-
cpe:2.3:a:h2database:h2:1.3.172
-
cpe:2.3:a:h2database:h2:1.3.173
-
cpe:2.3:a:h2database:h2:1.3.174
-
cpe:2.3:a:h2database:h2:1.3.175
-
cpe:2.3:a:h2database:h2:1.4.177
-
cpe:2.3:a:h2database:h2:1.4.178
-
cpe:2.3:a:h2database:h2:1.4.181
-
cpe:2.3:a:h2database:h2:1.4.182
-
cpe:2.3:a:h2database:h2:1.4.183
-
cpe:2.3:a:h2database:h2:1.4.184
-
cpe:2.3:a:h2database:h2:1.4.185
-
cpe:2.3:a:h2database:h2:1.4.186
-
cpe:2.3:a:h2database:h2:1.4.187
-
cpe:2.3:a:h2database:h2:1.4.188
-
cpe:2.3:a:h2database:h2:1.4.190
-
cpe:2.3:a:h2database:h2:1.4.191
-
cpe:2.3:a:h2database:h2:1.4.192
-
cpe:2.3:a:h2database:h2:1.4.193
-
cpe:2.3:a:h2database:h2:1.4.194
-
cpe:2.3:a:h2database:h2:1.4.195
-
cpe:2.3:a:h2database:h2:1.4.196
-
cpe:2.3:a:h2database:h2:1.4.197
-
cpe:2.3:a:h2database:h2:1.4.198
-
cpe:2.3:a:h2database:h2:1.4.199
-
cpe:2.3:a:h2database:h2:1.4.200
-
cpe:2.3:a:h2database:h2:2.0.202
-
cpe:2.3:a:h2database:h2:2.0.204
-
cpe:2.3:a:oracle:communications_cloud_native_core_console:1.9.0
-
cpe:2.3:o:debian:debian_linux:10.0
-
cpe:2.3:o:debian:debian_linux:11.0
-
cpe:2.3:o:debian:debian_linux:9.0