13530 2023-08-24 00:20:03 +0300 [CVE 21] h2 1.4.196 CVEs found 2023-10-20 16:54:31 +0300 1 1 2 ROSA-based products ROSA Fresh System (kernel, glibc, systemd, bash, PAM...) All All Linux RESOLVED DUPLICATE 13855 CVE-2021-42392, CVE-2022-23221, Normal normal --- 1 y.tumanov bugs e.kosachev s.matveev v.potapov y.tumanov 2021.1 oldest_to_newest 68897 0 y.tumanov 2023-08-24 00:20:03 +0300 Please patch CVEs for package h2 version 1.4.196 INFO (CVEs are): h2 1.4.196 cves found CVE-2021-42392 Desc: The org.h2.util.JdbcUtils.getConnection method of the H2 database takes as parameters the class name of the driver and URL of the database. An attacker may pass a JNDI driver name and a URL leading to a LDAP or RMI servers, causing remote code execution. This can be exploited through various attack vectors, most notably through the H2 Console which leads to unauthenticated remote code execution. Link: https://nvd.nist.gov/vuln/detail/CVE-2021-42392 Severity: CRITICAL CVE-2022-23221 Desc: H2 Console before 2.1.210 allows remote attackers to execute arbitrary code via a jdbc:h2:mem JDBC URL containing the IGNORE_UNKNOWN_SETTINGS=TRUE;FORBID_CREATION=FALSE;INIT=RUNSCRIPT substring, a different vulnerability than CVE-2021-42392. Link: https://nvd.nist.gov/vuln/detail/CVE-2022-23221 Severity: CRITICAL 70163 1 v.potapov 2023-10-20 16:54:31 +0300 *** This bug has been marked as a duplicate of bug 13855 ***