{"id":"CVE-2022-23221","details":"H2 Console before 2.1.210 allows remote attackers to execute arbitrary code via a jdbc:h2:mem JDBC URL containing the IGNORE_UNKNOWN_SETTINGS=TRUE;FORBID_CREATION=FALSE;INIT=RUNSCRIPT substring, a different vulnerability than CVE-2021-42392.","aliases":["GHSA-45hx-wfhj-473x"],"modified":"2026-04-12T02:50:33.393708Z","published":"2022-01-19T17:15:09Z","database_specific":{"unresolved_ranges":[{"source":"CPE_FIELD","cpe":"cpe:2.3:a:oracle:communications_cloud_native_core_console:1.9.0:*:*:*:*:*:*:*","extracted_events":[{"last_affected":"1.9.0"}]},{"source":"CPE_FIELD","cpe":"cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*","extracted_events":[{"last_affected":"10.0"}]},{"source":"CPE_FIELD","cpe":"cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*","extracted_events":[{"last_affected":"11.0"}]},{"source":"CPE_FIELD","cpe":"cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*","extracted_events":[{"last_affected":"9.0"}]}]},"references":[{"type":"WEB","url":"https://www.oracle.com/security-alerts/cpujul2022.html"},{"type":"ADVISORY","url":"https://lists.debian.org/debian-lts-announce/2022/02/msg00017.html"},{"type":"ADVISORY","url":"https://security.netapp.com/advisory/ntap-20230818-0011/"},{"type":"ADVISORY","url":"https://www.debian.org/security/2022/dsa-5076"},{"type":"FIX","url":"https://github.com/h2database/h2database/releases/tag/version-2.1.210"},{"type":"FIX","url":"https://github.com/h2database/h2database/security/advisories"},{"type":"FIX","url":"https://www.oracle.com/security-alerts/cpuapr2022.html"},{"type":"EVIDENCE","url":"http://packetstormsecurity.com/files/165676/H2-Database-Console-Remote-Code-Execution.html"},{"type":"EVIDENCE","url":"http://seclists.org/fulldisclosure/2022/Jan/39"},{"type":"EVIDENCE","url":"https://twitter.com/d0nkey_man/status/1483824727936450564"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/h2database/h2database","events":[{"introduced":"0"},{"fixed":"3d957a0aeb509c5976a3489e7867ecbb121280f4"},{"fixed":"ca926f8b646aa3dd3da5f7a81bbee055b19a8d6a"}],"database_specific":{"source":["CPE_FIELD","REFERENCES"],"cpe":"cpe:2.3:a:h2database:h2:*:*:*:*:*:*:*:*","extracted_events":[{"introduced":"1.1.100"},{"fixed":"2.0.206"}]}}],"versions":["version-1.4.188","version-1.4.190","version-1.4.192","version-1.4.193","version-1.4.194","version-1.4.195","version-1.4.197","version-1.4.198","version-1.4.199","version-1.4.200","version-2.0.202","version-2.0.204"],"database_specific":{"vanir_signatures":[{"source":"https://github.com/h2database/h2database/commit/3d957a0aeb509c5976a3489e7867ecbb121280f4","id":"CVE-2022-23221-007ddf6d","digest":{"line_hashes":["272810656635025776199681441561795810929","245591617129835704064380813555882338322","306412481140467524166442158358643941576","171885524935467376214112428467882639055","152693961729231181337235161892963699712","11128620713700209481157025108943595581","229492663452310778701433303382354959535","280099107836224806134227223277985234471"],"threshold":0.9},"deprecated":false,"signature_type":"Line","signature_version":"v1","target":{"file":"h2/src/main/org/h2/engine/Constants.java"}},{"source":"https://github.com/h2database/h2database/commit/3d957a0aeb509c5976a3489e7867ecbb121280f4","id":"CVE-2022-23221-2e529f64","digest":{"function_hash":"315764262499076112425286640966310751787","length":3343},"deprecated":false,"signature_type":"Function","signature_version":"v1","target":{"file":"h2/src/tools/org/h2/build/Build.java","function":"javadocImpl"}},{"source":"https://github.com/h2database/h2database/commit/3d957a0aeb509c5976a3489e7867ecbb121280f4","id":"CVE-2022-23221-7128582e","digest":{"line_hashes":["306343085252609351417168749835012023517","24484998409013538956641732370396970576","62200468007006360416996496122250431518","3323092461967229912768068215658008818"],"threshold":0.9},"deprecated":false,"signature_type":"Line","signature_version":"v1","target":{"file":"h2/src/tools/org/h2/build/Build.java"}}],"vanir_signatures_modified":"2026-04-12T02:50:33Z","source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-23221.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}]}