H2 Database H2 1.4.187

CPE Details

H2 Database H2 1.4.187
h2database
h2
1.4.187
2019-04-10
10h57 +00:00
2019-04-10
10h57 +00:00
CPE NVD
Alerte pour un CPE
Stay informed of any changes for a specific CPE.
Notifications manage

CPE Name: cpe:2.3:a:h2database:h2:1.4.187:*:*:*:*:*:*:*

Informations

Vendor

h2database

Product

h2

Version

1.4.187

Related CVE

Open and find in CVE List

CVE ID Published Description Score Severity
CVE-2022-45868 2022-11-22 23h00 +00:00 The web-based admin console in H2 Database Engine before 2.2.220 can be started via the CLI with the argument -webAdminPassword, which allows the user to specify the password in cleartext for the web admin console. Consequently, a local user (or an attacker that has obtained local access through some means) would be able to discover the password by listing processes and their arguments. NOTE: the vendor states "This is not a vulnerability of H2 Console ... Passwords should never be passed on the command line and every qualified DBA or system administrator is expected to know that." Nonetheless, the issue was fixed in 2.2.220.
8.4
High
CVE-2022-23221 2022-01-18 23h00 +00:00 H2 Console before 2.1.210 allows remote attackers to execute arbitrary code via a jdbc:h2:mem JDBC URL containing the IGNORE_UNKNOWN_SETTINGS=TRUE;FORBID_CREATION=FALSE;INIT=RUNSCRIPT substring, a different vulnerability than CVE-2021-42392.
9.8
Critical
CVE-2021-42392 2022-01-06 23h00 +00:00 The org.h2.util.JdbcUtils.getConnection method of the H2 database takes as parameters the class name of the driver and URL of the database. An attacker may pass a JNDI driver name and a URL leading to a LDAP or RMI servers, causing remote code execution. This can be exploited through various attack vectors, most notably through the H2 Console which leads to unauthenticated remote code execution.
9.8
Critical