com.h2database:h2 1.4.200 vulnerabilities

Known vulnerabilities in the com.h2database:h2 package. This does not include vulnerabilities belonging to this package’s dependencies.

Vulnerability	Vulnerable Version
M Information Exposure com.h2database:h2 is a database engine Affected versions of this package are vulnerable to Information Exposure when H2 web-based admin console was started via the CLI with the argument `-webAdminPassword`, which allows a local user to specify the password in plaintext for the web admin console. Consequently, a malicious local user or an attacker that has obtained local access through some means would be able to get the password for the H2 web admin console by looking at the running processes. Vendor Statement: "This is not a vulnerability of the H2 Console, this is an example of how not to use it. I think there is nothing to do with it on the H2 side. Passwords should never be passed on the command line, and every qualified DBA or system administrator is expected to know that." How to fix Information Exposure? Upgrade `com.h2database:h2` to version 2.2.220 or higher.	[1.4.198,2.2.220)
C Remote Code Execution (RCE) com.h2database:h2 is a database engine Affected versions of this package are vulnerable to Remote Code Execution (RCE) via a jdbc:h2:mem JDBC URL containing the `IGNORE_UNKNOWN_SETTINGS=TRUE;FORBID_CREATION=FALSE;INIT=RUNSCRIPT` substring. How to fix Remote Code Execution (RCE)? Upgrade `com.h2database:h2` to version 2.1.210 or higher.	[,2.1.210)
H Remote Code Execution (RCE) com.h2database:h2 is a database engine Affected versions of this package are vulnerable to Remote Code Execution (RCE). H2 Console allows loading of custom classes from remote servers through JNDI. This can lead to code execution If remote access was enabled explicitly and some protection method (such as security constraint) are not set, an intruder can load their own custom class and execute their code in a process using H2 Console (a H2 Server process or a web server with H2 Console servlet). Note: It should be noted that H2 Console doesn't accept remote connections by default. Workarounds H2 Console should never be available to untrusted users. `-webAllowOthers` is a dangerous setting that should be avoided. H2 Console Servlet deployed on a web server can be protected with a security constraint: `https://h2database.com/html/tutorial.html#usingH2ConsoleServlet` If webAllowOthers is specified, you need to uncomment and edit and as necessary. See documentation of your web server for more details. All these workaround are mitigatory and unlikely to prevent all attack vectors, upgrade to a fixed version for full remediation. How to fix Remote Code Execution (RCE)? Upgrade `com.h2database:h2` to version 2.0.206 or higher.	[1.1.100,2.0.206)
H XML External Entity (XXE) Injection com.h2database:h2 is a database engine Affected versions of this package are vulnerable to XML External Entity (XXE) Injection via the `org.h2.jdbc.JdbcSQLXML` class object, when it receives parsed string data from `org.h2.jdbc.JdbcResultSet.getSQLXML()` method. If it executes the `getSource()` method when the parameter is `DOMSource.class` it will trigger the vulnerability. How to fix XML External Entity (XXE) Injection? Upgrade `com.h2database:h2` to version 2.0.202 or higher.	[1.4.198,2.0.202)

Vulnerability

Vulnerable Version

Information Exposure

com.h2database:h2 is a database engine

Affected versions of this package are vulnerable to Information Exposure when H2 web-based admin console was started via the CLI with the argument -webAdminPassword, which allows a local user to specify the password in plaintext for the web admin console. Consequently, a malicious local user or an attacker that has obtained local access through some means would be able to get the password for the H2 web admin console by looking at the running processes.

Vendor Statement: "This is not a vulnerability of the H2 Console, this is an example of how not to use it. I think there is nothing to do with it on the H2 side. Passwords should never be passed on the command line, and every qualified DBA or system administrator is expected to know that."

How to fix Information Exposure?

Upgrade com.h2database:h2 to version 2.2.220 or higher.

[1.4.198,2.2.220)

Remote Code Execution (RCE)

com.h2database:h2 is a database engine

Affected versions of this package are vulnerable to Remote Code Execution (RCE) via a jdbc:h2:mem JDBC URL containing the IGNORE_UNKNOWN_SETTINGS=TRUE;FORBID_CREATION=FALSE;INIT=RUNSCRIPT substring.

How to fix Remote Code Execution (RCE)?

Upgrade com.h2database:h2 to version 2.1.210 or higher.

[,2.1.210)

Remote Code Execution (RCE)

com.h2database:h2 is a database engine

Affected versions of this package are vulnerable to Remote Code Execution (RCE). H2 Console allows loading of custom classes from remote servers through JNDI. This can lead to code execution

If remote access was enabled explicitly and some protection method (such as security constraint) are not set, an intruder can load their own custom class and execute their code in a process using H2 Console (a H2 Server process or a web server with H2 Console servlet).

Note: It should be noted that H2 Console doesn't accept remote connections by default.

Workarounds

H2 Console should never be available to untrusted users.
-webAllowOthers is a dangerous setting that should be avoided.
H2 Console Servlet deployed on a web server can be protected with a security constraint: https://h2database.com/html/tutorial.html#usingH2ConsoleServlet If webAllowOthers is specified, you need to uncomment and edit and as necessary. See documentation of your web server for more details.

All these workaround are mitigatory and unlikely to prevent all attack vectors, upgrade to a fixed version for full remediation.

How to fix Remote Code Execution (RCE)?

Upgrade com.h2database:h2 to version 2.0.206 or higher.

[1.1.100,2.0.206)

XML External Entity (XXE) Injection

com.h2database:h2 is a database engine

Affected versions of this package are vulnerable to XML External Entity (XXE) Injection via the org.h2.jdbc.JdbcSQLXML class object, when it receives parsed string data from org.h2.jdbc.JdbcResultSet.getSQLXML() method. If it executes the getSource() method when the parameter is DOMSource.class it will trigger the vulnerability.

How to fix XML External Entity (XXE) Injection?

Upgrade com.h2database:h2 to version 2.0.202 or higher.

[1.4.198,2.0.202)

com.h2database:h2@1.4.200 vulnerabilities

latest version

latest non vulnerable version

first published

latest version published

licenses detected

package registry

Direct Vulnerabilities

How to fix?

Workarounds