13855 2023-10-18 20:26:10 +0300 [CVE 21] h2 1.4.196 CVEs found 2023-12-12 01:32:03 +0300 1 1 2 ROSA-based products ROSA Fresh System (kernel, glibc, systemd, bash, PAM...) All All Linux RESOLVED WONTFIX CVE-2021-42392, CVE-2022-23221, Highest blocker --- 1 y.tumanov bugs e.kosachev s.matveev v.potapov y.tumanov 2021.1 oldest_to_newest 69743 0 y.tumanov 2023-10-18 20:26:10 +0300 Please patch CVEs for package h2 version 1.4.196 INFO (CVEs are): h2 1.4.196 cves found CVE-2021-42392 Desc: The org.h2.util.JdbcUtils.getConnection method of the H2 database takes as parameters the class name of the driver and URL of the database. An attacker may pass a JNDI driver name and a URL leading to a LDAP or RMI servers, causing remote code execution. This can be exploited through various attack vectors, most notably through the H2 Console which leads to unauthenticated remote code execution. Link: https://nvd.nist.gov/vuln/detail/CVE-2021-42392 Severity: CRITICAL CVE-2022-23221 Desc: H2 Console before 2.1.210 allows remote attackers to execute arbitrary code via a jdbc:h2:mem JDBC URL containing the IGNORE_UNKNOWN_SETTINGS=TRUE;FORBID_CREATION=FALSE;INIT=RUNSCRIPT substring, a different vulnerability than CVE-2021-42392. Link: https://nvd.nist.gov/vuln/detail/CVE-2022-23221 Severity: CRITICAL 70162 1 v.potapov 2023-10-20 16:54:16 +0300 *** Bug 13723 has been marked as a duplicate of this bug. *** 70164 2 v.potapov 2023-10-20 16:54:31 +0300 *** Bug 13530 has been marked as a duplicate of this bug. *** 71458 3 s.matveev 2023-12-12 01:32:03 +0300 Входит в java-стек, который пока обновляться не будет