Public exploit available

Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2018-10054 — Improper Input Validation in Datomic

CWE-20 — Improper Input Validation5 documents5 sources

Severity

8.8HIGHNVD

EPSS

53.3%

top 2.01%

CISA KEV

Not in KEV

Exploit

PoC available

Public exploit / PoC exists

Affected products

Cognitect Datomic H2database H2 Atlassian Bamboo Data Center

Timeline

PublishedApr 11

Latest updateJan 16

Description

H2 1.4.197, as used in Datomic before 0.9.5697 and other products, allows remote code execution because CREATE ALIAS can execute arbitrary Java code. NOTE: the vendor's position is "h2 is not designed to be run outside of a secure environment."

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages3 packages

▶NVDcognitect/datomic< 0.9.5697

▶NVDh2database/h21.4.197

▶atlassianatlassian/bamboo_data_center

🔴Vulnerability Details

GHSA

Improper Input Validation in Datomic↗2022-05-13

▶

OSV

Improper Input Validation in Datomic↗2022-05-13

▶

💥Exploits & PoCs

Metasploit

H2 Web Interface Create Alias RCE↗

▶

📋Vendor Advisories

Atlassian

CVE-2018-10054: RCE (Remote Code Execution) com.h2database:h2 Dependency in Bamboo Data Center and Server↗2024-01-16

▶