What is CVE-2018-10054?

CVE-2018-10054 is a vulnerability in N/a. Published 2018-04-11.

Is CVE-2018-10054 known to be exploited?

8 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.

Vulnerability in N/a

CVE-2018-10054

H2 1.4.197, as used in Datomic before 0.9.5697 and other products, allows remote code execution because CREATE ALIAS can execute arbitrary Java code. NOTE: the vendor's position is "h2 is not designed to be run outside of a secure environm…

EPSS: 0.716 (98.8th percentile) — read the EPSS interpretation.

Affected products

N/a — versions n/a

Public proof-of-concept exploits

rapid7/metasploit-framework
ARPSyndicate/cve-scores
J1ezds/Vulnerability-Wiki-page
Threekiii/Awesome-POC
code-sharx/gradle-plugin
g1san/Agents-for-Vulnerable-Dockers-and-related-Benchmarks
guillermo-varela/example-scan-gradle-plugin
victorsempere/albums_

References

forum.datomic.com/t/important-security-update-0-9-5697/379
44422 (exploit)
blog.datomic.com/2018/03/important-security-update.html
mthbernardes.github.io/rce/2018/03/14/abusing-h2-database-alias.html
[ignite-user] 20191213 Re: H2 version security concern (mailing-list)
[nifi-commits] 20200421 svn commit: r1876802 - /nifi/site/trunk/registry-security.html (mailing-list)
github.com/h2database/h2database/issues/1225
github.com/h2database/h2database/issues/3099
github.com/h2database/h2database/issues/1808
security.netapp.com/advisory/ntap-20240719-0003/

Frequently asked questions

What is CVE-2018-10054?: CVE-2018-10054 is a vulnerability in N/a. Published 2018-04-11.
Is CVE-2018-10054 known to be exploited?: 8 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.