CVE-2022-23221
Description
H2 Console before 2.1.210 allows remote attackers to execute arbitrary code via a jdbc:h2:mem JDBC URL containing the IGNORE_UNKNOWN_SETTINGS=TRUE;FORBID_CREATION=FALSE;INIT=RUNSCRIPT substring, a different vulnerability than CVE-2021-42392.
Risk Information
Base Score
9.8
MODERATE
Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score
Exploitation Probability
26.568
Associated Vulnerability
| Vulnerability | OS Platform |
|---|---|
| Vulnerabilities CVE-2022-23221 are fixed in H2-Database-h2 2.1.210 | Windows |
| H2 Database Engine (USN-5365-1) libh2-java_1.4.197-4+deb10u1build0.20.04.1_all.deb | Linux |
| H2 Database Engine (USN-5365-1) libh2-java_1.4.197-4+deb10u1build0.21.10.1_all.deb | Linux |
| h2database security update(DSA-5076-1) libh2-java-doc_1.4.197-4+deb11u1_all.deb | Linux |
| h2database security update(DSA-5076-1) libh2-java-doc_1.4.197-4+deb10u1_all.deb | Linux |
| h2database security update(DSA-5076-1) libh2-java_1.4.197-4+deb11u1_all.deb | Linux |
| h2database security update(DSA-5076-1) libh2-java_1.4.197-4+deb10u1_all.deb | Linux |
| Vulnerabilities CVE-2022-23221 are fixed in H2-Database-h2 for Linux 2.1.210 | Linux |
Patch Details
No records foundReferences
https://nvd.nist.gov/vuln/detail/CVE-2023-1234
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1234