cbcvebase.
CVE-2018-10054
published 2018-04-11

CVE-2018-10054: H2 1.4.197, as used in Datomic before 0.9.5697 and other products, allows remote code execution because CREATE ALIAS can execute arbitrary Java code. NOTE: the…

PriorityP273high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
34.99%
98.2th percentile
H2 1.4.197, as used in Datomic before 0.9.5697 and other products, allows remote code execution because CREATE ALIAS can execute arbitrary Java code. NOTE: the vendor's position is "h2 is not designed to be run outside of a secure environment."

Affected

3 ranges
VendorProductVersion rangeFixed in
atlassianbamboo_data_center
cognitectdatomic< 0.9.56970.9.5697
h2databaseh2

Detection & IOCsextracted from sources · hover to see the quote

commandCREATE ALIAS
  • Monitor for SQL statements containing CREATE ALIAS directed at H2 database instances, as this is the primary exploitation vector for arbitrary Java code execution.
  • H2's web interface restricts many characters; watch for obfuscated or encoded SQL payloads attempting to bypass input filtering on the H2 web console.
  • Exploitation requires a valid database connection; alert on unexpected or unauthenticated connections to H2 database endpoints, especially using in-memory database URLs.
  • Watch for payload files written to the working directory of the H2 process (not just /tmp), as exploits may drop files there when /tmp is not writable.
  • Audit Bamboo Data Center and Server deployments for the presence of vulnerable com.h2database:h2 versions (1.4.197, 1.4.199, 2.0.204, 2.1.214) as confirmed affected products.
  • ·H2 is not intended to be exposed outside a secure/trusted environment; exposure of the H2 web interface or database port to untrusted networks is a prerequisite for remote exploitation.
  • ·Version detection may fail for certain H2 versions during exploitation attempts, meaning version-based detection alone is unreliable.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.