RSS   Vulnerabilities for 'H2'   RSS

2022-01-19
 
CVE-2022-23221

CWE-94
 

 
H2 Console before 2.1.210 allows remote attackers to execute arbitrary code via a jdbc:h2:mem JDBC URL containing the IGNORE_UNKNOWN_SETTINGS=TRUE;FORBID_CREATION=FALSE;INIT=RUNSCRIPT substring, a different vulnerability than CVE-2021-42392.

 
2021-12-10
 
CVE-2021-23463

CWE-611
 

 
The package com.h2database:h2 from 0 and before 2.0.202 are vulnerable to XML External Entity (XXE) Injection via the org.h2.jdbc.JdbcSQLXML class object, when it receives parsed string data from org.h2.jdbc.JdbcResultSet.getSQLXML() method. If it executes the getSource() method when the parameter is DOMSource.class it will trigger the vulnerability.

 
2018-07-24
 
CVE-2018-14335

CWE-732
 

 
An issue was discovered in H2 1.4.197. Insecure handling of permissions in the backup function allows attackers to read sensitive files (outside of their permissions) via a symlink to a fake database file.

 
2018-04-11
 
CVE-2018-10054

CWE-20
 

 
H2 1.4.197, as used in Datomic before 0.9.5697 and other products, allows remote code execution because CREATE ALIAS can execute arbitrary Java code.

 


Copyright 2024, cxsecurity.com

 

Back to Top