10
CVE-2021-42392
- EPSS 91.12%
- Veröffentlicht 10.01.2022 14:10:23
- Zuletzt bearbeitet 21.11.2024 06:27:43
- Quelle reefs@jfrog.com
- Teams Watchlist Login
- Unerledigt Login
The org.h2.util.JdbcUtils.getConnection method of the H2 database takes as parameters the class name of the driver and URL of the database. An attacker may pass a JNDI driver name and a URL leading to a LDAP or RMI servers, causing remote code execution. This can be exploited through various attack vectors, most notably through the H2 Console which leads to unauthenticated remote code execution.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
H2database ≫ H2 Version >= 1.1.000 <= 2.0.204
Debian ≫ Debian Linux Version9.0
Debian ≫ Debian Linux Version10.0
Debian ≫ Debian Linux Version11.0
Oracle ≫ Communications Cloud Native Core Policy Version1.15.0
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 91.12% | 0.996 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 9.8 | 3.9 | 5.9 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
| nvd@nist.gov | 10 | 10 | 10 |
AV:N/AC:L/Au:N/C:C/I:C/A:C
|
CWE-502 Deserialization of Untrusted Data
The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.