CVE-2022-23221

Exploit

EPSS 22.2%
Published 19.01.2022 17:15:09
Last modified 05.05.2025 17:17:56
Source cve@mitre.org
Teams watchlist Login
Open Login

H2 Console before 2.1.210 allows remote attackers to execute arbitrary code via a jdbc:h2:mem JDBC URL containing the IGNORE_UNKNOWN_SETTINGS=TRUE;FORBID_CREATION=FALSE;INIT=RUNSCRIPT substring, a different vulnerability than CVE-2021-42392.

Affected products Warnungen 0 Metrics 4 CWE 1 References 13

Data is provided by the National Vulnerability Database (NVD)

H2database ≫ H2 Version >= 1.1.100 < 2.0.206

Debian ≫ Debian Linux Version9.0

Debian ≫ Debian Linux Version10.0

Debian ≫ Debian Linux Version11.0

Oracle ≫ Communications Cloud Native Core Console Version1.9.0

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	22.2%	0.956

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	9.8	3.9	5.9	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvd@nist.gov	10	10	10	AV:N/AC:L/Au:N/C:C/I:C/A:C
134c704f-9b21-4f2e-91b3-4a467353bcc0	9.8	3.9	5.9	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE-88 Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')

The product constructs a string for a command to be executed by a separate component in another control sphere, but it does not properly delimit the intended arguments, options, or switches within that command string.

https://www.oracle.com/security-alerts/cpuapr2022.html

Patch

Third Party Advisory

https://www.oracle.com/security-alerts/cpujul2022.html

Not Applicable

https://lists.debian.org/debian-lts-announce/2022/02/msg00017.html

Third Party Advisory

Mailing List

https://www.debian.org/security/2022/dsa-5076

Third Party Advisory

http://packetstormsecurity.com/files/165676/H2-Database-Console-Remote-Code-Execution.html

Third Party Advisory