What is CVE-2022-23221?

CVE-2022-23221 is a vulnerability in N/a. Published 2022-01-19.

Is CVE-2022-23221 known to be exploited?

25 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.

Vulnerability in N/a

CVE-2022-23221

H2 Console before 2.1.210 allows remote attackers to execute arbitrary code via a jdbc:h2:mem JDBC URL containing the IGNORE_UNKNOWN_SETTINGS=TRUE;FORBID_CREATION=FALSE;INIT=RUNSCRIPT substring, a different vulnerability than CVE-2021-4239…

EPSS: 0.648 (99.1th percentile) — read the EPSS interpretation.

Affected products

N/a — versions n/a

Public proof-of-concept exploits

ARPSyndicate/cvemon
Alphabeto/payment-service
J1ezds/Vulnerability-Wiki-page
KevinMendes/evotingBounty
Threekiii/Awesome-POC
g1san/Agents-for-Vulnerable-Dockers-and-related-Benchmarks
hardeepsonatype/get_
hinat0y/Dataset1
hinat0y/Dataset10
hinat0y/Dataset11

References

github.com/h2database/h2database/security/advisories
20220124 Unauthenticated RCE vuln in the H2 Database console: CVE-2022-23221. (mailing-list)
[debian-lts-announce] 20220215 [SECURITY] [DLA 2923-1] h2database security update (mailing-list)
DSA-5076 (vendor-advisory)
www.oracle.com/security-alerts/cpuapr2022.html
github.com/h2database/h2database/releases/tag/version-2.1.210
twitter.com/d0nkey_man/status/1483824727936450564
packetstormsecurity.com/files/165676/H2-Database-Console-Remote-Code-Execution…
www.oracle.com/security-alerts/cpujul2022.html
security.netapp.com/advisory/ntap-20230818-0011/

Frequently asked questions

What is CVE-2022-23221?: CVE-2022-23221 is a vulnerability in N/a. Published 2022-01-19.
Is CVE-2022-23221 known to be exploited?: 25 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.