CVE-2022-23221

Name of the Vulnerable Software and Affected Versions H2 Console versions prior to 2.1.210 H2 Database Console (affected versions not specified)

Description The issue is related to incorrect code generation management in the H2 database management system. It can be exploited by a remote attacker to execute arbitrary code using the jdbc:h2:mem function with specific settings: IGNORE UNKNOWN SETTINGS=TRUE;FORBID CREATION=FALSE;INIT=RUNSCRIPT. This allows for remote code execution via a JDBC URL containing these settings.

Recommendations For H2 Console versions prior to 2.1.210, update to version 2.1.210 or later to resolve the issue. As a temporary workaround, consider disabling the jdbc:h2:mem function or restricting its use with the specified settings until a patch is available. Avoid using the INIT=RUNSCRIPT setting in the affected API endpoint until the issue is resolved. Restrict access to the H2 Console to minimize the risk of exploitation.