Vulnerabilities > H2Database > H2 > 1.4.200

DATE CVE VULNERABILITY TITLE RISK
2022-11-23 CVE-2022-45868 Cleartext Storage of Sensitive Information vulnerability in H2Database H2
The web-based admin console in H2 Database Engine before 2.2.220 can be started via the CLI with the argument -webAdminPassword, which allows the user to specify the password in cleartext for the web admin console.
local
low complexity
h2database CWE-312
7.8
7.8
2022-01-19 CVE-2022-23221 Argument Injection or Modification vulnerability in multiple products
H2 Console before 2.1.210 allows remote attackers to execute arbitrary code via a jdbc:h2:mem JDBC URL containing the IGNORE_UNKNOWN_SETTINGS=TRUE;FORBID_CREATION=FALSE;INIT=RUNSCRIPT substring, a different vulnerability than CVE-2021-42392.
network
low complexity
h2database debian oracle CWE-88
critical
 9.8
9.8
2022-01-10 CVE-2021-42392 Deserialization of Untrusted Data vulnerability in multiple products
The org.h2.util.JdbcUtils.getConnection method of the H2 database takes as parameters the class name of the driver and URL of the database.
network
low complexity
h2database debian oracle CWE-502
critical
 9.8
9.8
2021-12-10 CVE-2021-23463 XXE vulnerability in H2Database H2 1.4.198/1.4.199/1.4.200
The package com.h2database:h2 from 1.4.198 and before 2.0.202 are vulnerable to XML External Entity (XXE) Injection via the org.h2.jdbc.JdbcSQLXML class object, when it receives parsed string data from org.h2.jdbc.JdbcResultSet.getSQLXML() method.
network
low complexity
h2database CWE-611
critical
 9.1
9.1