CVE-2022-23221 The H2 Console before 2.1.210 allows remote attackers to execute arbitrary code via a jdbc:h2:mem JDBC URL containing the IGNORE_UNKNOWN_SETTINGS=TRUE;FORBID_CREATION=FALSE;INIT=RUNSCRIPT substring. This is different than CVE-2021-42392.

CVE-2022-23221 The H2 Console before 2.1.210 allows remote attackers to execute arbitrary code via a jdbc:h2:mem JDBC URL containing the IGNORE_UNKNOWN_SETTINGS=TRUE;FORBID_CREATION=FALSE;INIT=RUNSCRIPT substring. This is different than CVE-2021-42392.

This issue was reported by Yuhuan Shih from IBM. CVE-2018-1010: The JDBC code in Apache HSQL before 1.10.7, 1.11.x before 1.11.6, and 1.12.x before 1.12.1 does not properly enforce type checking of parameters, which might allow remote attackers to conduct SQL injection attacks via a crafted JDBC URL. (CVE-2018-1010) NEW - Fixed in Apache HSQL 1.13.x and 2.x. For Debian and Ubuntu, the package is libhsqldb1.13 or libhsqldb2.10. Fixed in Apache HSQL 2.x. For Debian and Ubuntu, the package is libhsqldb2 or libhsqldb2.9. For CentOS and Red Hat, the package is libhsqldb or libhsqldb2.7. For Amazon Linux, the package is libhsqldb1.13 or libhsqldb2.10. For openSUSE, the package is libhsqldb1.13 or libhsqldb2.10. For Fedora, the package is libhsqldb or libhsqldb2.9. As these are only tested against Apache HSQL 1.13.x or 2.x, you may need to update your packaged version of Apache HSQL to a newer version

References:

1. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1010
2. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23221
3. https://www.hsqldb.com/?q=hsqldb_2_9

References

Subscribe to CVE.news
Don’t miss out on the latest issues. Sign up now to get access to the library of members-only issues.
jamie@example.com
Subscribe