CVE-2022-23221

Published: Jan 19, 2022

Modified: May 5, 2025

PUBLISHED

Description

H2 Console before 2.1.210 allows remote attackers to execute arbitrary code via a jdbc:h2:mem JDBC URL containing the IGNORE_UNKNOWN_SETTINGS=TRUE;FORBID_CREATION=FALSE;INIT=RUNSCRIPT substring, a different vulnerability than CVE-2021-42392.

Vendor	Product	Versions
n/a	n/a	affected `n/a`

References

https://github.com/h2database/h2database/security/advisories

20220124 Unauthenticated RCE vuln in the H2 Database console: CVE-2022-23221.

mailing-list

[debian-lts-announce] 20220215 [SECURITY] [DLA 2923-1] h2database security update

mailing-list

DSA-5076

vendor-advisory

https://www.oracle.com/security-alerts/cpuapr2022.html

https://github.com/h2database/h2database/releases/tag/version-2.1.210

https://twitter.com/d0nkey_man/status/1483824727936450564

http://packetstormsecurity.com/files/165676/H2-Database-Console-Remote-Code-Execution.html

https://www.oracle.com/security-alerts/cpujul2022.html

https://security.netapp.com/advisory/ntap-20230818-0011/

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2022-23221

Description

Affected Products

References