Vulnerabilities > H2Database
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2022-11-23 | CVE-2022-45868 | Cleartext Storage of Sensitive Information vulnerability in H2Database H2 The web-based admin console in H2 Database Engine before 2.2.220 can be started via the CLI with the argument -webAdminPassword, which allows the user to specify the password in cleartext for the web admin console. | 7.8 |
| 2022-01-19 | CVE-2022-23221 | Argument Injection or Modification vulnerability in multiple products H2 Console before 2.1.210 allows remote attackers to execute arbitrary code via a jdbc:h2:mem JDBC URL containing the IGNORE_UNKNOWN_SETTINGS=TRUE;FORBID_CREATION=FALSE;INIT=RUNSCRIPT substring, a different vulnerability than CVE-2021-42392. | 9.8 |
| 2022-01-10 | CVE-2021-42392 | Deserialization of Untrusted Data vulnerability in multiple products The org.h2.util.JdbcUtils.getConnection method of the H2 database takes as parameters the class name of the driver and URL of the database. | 9.8 |
| 2021-12-10 | CVE-2021-23463 | XXE vulnerability in H2Database H2 1.4.198/1.4.199/1.4.200 The package com.h2database:h2 from 1.4.198 and before 2.0.202 are vulnerable to XML External Entity (XXE) Injection via the org.h2.jdbc.JdbcSQLXML class object, when it receives parsed string data from org.h2.jdbc.JdbcResultSet.getSQLXML() method. | 9.1 |
| 2018-07-24 | CVE-2018-14335 | Link Following vulnerability in H2Database H2 1.4.197 An issue was discovered in H2 1.4.197. | 6.5 |
| 2018-04-11 | CVE-2018-10054 | Improper Input Validation vulnerability in multiple products H2 1.4.197, as used in Datomic before 0.9.5697 and other products, allows remote code execution because CREATE ALIAS can execute arbitrary Java code. | 8.8 |