CVE-2022-23221

NameCVE-2022-23221
DescriptionH2 Console before 2.1.210 allows remote attackers to execute arbitrary code via a jdbc:h2:mem JDBC URL containing the IGNORE_UNKNOWN_SETTINGS=TRUE;FORBID_CREATION=FALSE;INIT=RUNSCRIPT substring, a different vulnerability than CVE-2021-42392.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-2923-1, DSA-5076-1

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
h2database (PTS)stretch (security), stretch (lts), stretch1.4.193-1+deb9u1fixed
buster (security), buster, buster (lts)1.4.197-4+deb10u1fixed
bullseye (security), bullseye1.4.197-4+deb11u1fixed
bookworm2.1.214-1fixed
sid, trixie2.2.220-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
h2databasesourcestretch1.4.193-1+deb9u1DLA-2923-1
h2databasesourcebuster1.4.197-4+deb10u1DSA-5076-1
h2databasesourcebullseye1.4.197-4+deb11u1DSA-5076-1
h2databasesource(unstable)2.1.210-1

Notes

https://github.com/h2database/h2database/releases/tag/version-2.1.210
Fixed by https://github.com/h2database/h2database/commit/eb75633d0dfa86341e6ef77a861665c4a0f16ab8
https://github.com/h2database/h2database/issues/3360#issuecomment-1018351050
Search for package or bug name: Reporting problems