cbcvebase.
CVE-2022-23221
published 2022-01-19

CVE-2022-23221: H2 Console before 2.1.210 allows remote attackers to execute arbitrary code via a jdbc:h2:mem JDBC URL containing the…

PriorityP270critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
64.77%
99.1th percentile
H2 Console before 2.1.210 allows remote attackers to execute arbitrary code via a jdbc:h2:mem JDBC URL containing the IGNORE_UNKNOWN_SETTINGS=TRUE;FORBID_CREATION=FALSE;INIT=RUNSCRIPT substring, a different vulnerability than CVE-2021-42392.

Affected

6 ranges
VendorProductVersion rangeFixed in
debiandebian_linux
debiandebian_linux
debiandebian_linux
debianh2database< h2database 2.1.210-1 (bookworm)h2database 2.1.210-1 (bookworm)
h2databaseh2>= 1.1.100 < 2.0.2062.0.206
oraclecommunications_cloud_native_core_console

Detection & IOCsextracted from sources · hover to see the quote

otherjdbc:h2:mem JDBC URL containing IGNORE_UNKNOWN_SETTINGS=TRUE;FORBID_CREATION=FALSE;INIT=RUNSCRIPT
  • Detect exploitation attempts by monitoring HTTP requests to the H2 Console containing the malicious JDBC URL pattern with IGNORE_UNKNOWN_SETTINGS=TRUE;FORBID_CREATION=FALSE;INIT=RUNSCRIPT in the connection string.
  • The vulnerability is remotely exploitable over HTTP with no authentication required; monitor H2 Console HTTP endpoints for crafted connection URL submissions.
  • Flag any JDBC connection URL submitted to the H2 Console that includes the INIT=RUNSCRIPT directive, as this enables remote script execution.
  • ·The vulnerability only affects H2 Console versions before 2.1.210; systems running 2.1.210 or later are not affected.
  • ·This is a distinct vulnerability from CVE-2021-42392, which involves deserialization of untrusted data in H2; both affect H2 but via different attack vectors.
  • ·Exploitation is specifically via the H2 Console interface over HTTP; deployments that do not expose the H2 Console remotely have a reduced attack surface.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
ghsa9.8CRITICAL
osv9.8CRITICAL
vendor_debian9.8CRITICAL
vendor_oracle9.8CRITICAL
vendor_redhat9.8CRITICAL
vendor_ubuntu9.8CRITICAL
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.