Please patch CVEs for package h2 version 1.4.196 INFO (CVEs are): h2 1.4.196 cves found CVE-2021-42392 Desc: The org.h2.util.JdbcUtils.getConnection method of the H2 database takes as parameters the class name of the driver and URL of the database. An attacker may pass a JNDI driver name and a URL leading to a LDAP or RMI servers, causing remote code execution. This can be exploited through various attack vectors, most notably through the H2 Console which leads to unauthenticated remote code execution. Link: https://nvd.nist.gov/vuln/detail/CVE-2021-42392 Severity: CRITICAL CVE-2022-23221 Desc: H2 Console before 2.1.210 allows remote attackers to execute arbitrary code via a jdbc:h2:mem JDBC URL containing the IGNORE_UNKNOWN_SETTINGS=TRUE;FORBID_CREATION=FALSE;INIT=RUNSCRIPT substring, a different vulnerability than CVE-2021-42392. Link: https://nvd.nist.gov/vuln/detail/CVE-2022-23221 Severity: CRITICAL
*** Bug 13723 has been marked as a duplicate of this bug. ***
*** Bug 13530 has been marked as a duplicate of this bug. ***
Входит в java-стек, который пока обновляться не будет