8.8
CVE-2018-10054
- EPSS 34.99%
- Veröffentlicht 11.04.2018 20:29:00
- Zuletzt bearbeitet 21.11.2024 03:40:43
- CVE-Watchlists
- Unerledigt
H2 1.4.197, as used in Datomic before 0.9.5697 and other products, allows remote code execution because CREATE ALIAS can execute arbitrary Java code. NOTE: the vendor's position is "h2 is not designed to be run outside of a secure environment."
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
H2database ≫ H2 Version1.4.197
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 34.99% | 0.982 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 8.8 | 2.8 | 5.9 |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
|
| nvd@nist.gov | 6.5 | 8 | 6.4 |
AV:N/AC:L/Au:S/C:P/I:P/A:P
|
CWE-20 Improper Input Validation
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
http://blog.datomic.com/2018/03/important-security-update.html
https://forum.datomic.com/t/important-security-update-0-9-5697/379
https://github.com/h2database/h2database/issues/1225
https://github.com/h2database/h2database/issues/1808#issuecomment-599203115
https://github.com/h2database/h2database/issues/3099
https://lists.apache.org/thread.html/582d4165de6507b0be82d5a6f9a1ce392ec43a00c9fed32bacf7fe1e%40%3Cuser.ignite.apache.org%3E
https://lists.apache.org/thread.html/r8aaf4ee16bbaf6204731d4770d96ebb34b258cd79b491f9cdd7f2540%40%3Ccommits.nifi.apache.org%3E
https://mthbernardes.github.io/rce/2018/03/14/abusing-h2-database-alias.html
https://security.netapp.com/advisory/ntap-20240719-0003/
https://www.exploit-db.com/exploits/44422/