com.h2database:h2

Maven4 known CVEs affecting this package

Aggregated from OSV, GitHub Security Advisories, NVD, and vendor advisories. Each CVE links to its full detail page with vendor advisories, patches, fixed versions, and remediation guidance.

CVEs affecting com.h2database:h2page 1 of 1

CVE-2021-23463HIGHCVSS 8.1EG 8.1✓ Fixed in 2.0.202
2021-12-10
vulnerable: 1.4.198, 1.4.199, 1.4.200
The package com.h2database:h2 from 1.4.198 and before 2.0.202 are vulnerable to XML External Entity (XXE) Injection via the org.h2.jdbc.JdbcSQLXML class object, when it receives parsed string data from org.h2.jdbc.JdbcResultSet.getSQLXML()…
CVE-2021-42392CRITICALCVSS 9.8EG 9.8✓ Fixed in 2.0.206
2022-01-10
vulnerable: 1.1.100 ... 2.0.204 (103 versions)
The org.h2.util.JdbcUtils.getConnection method of the H2 database takes as parameters the class name of the driver and URL of the database. An attacker may pass a JNDI driver name and a URL leading to a LDAP or RMI servers, causing remote …
CVE-2022-23221CRITICALCVSS 9.8EG 9.8✓ Fixed in 2.1.210
2022-01-19
vulnerable: 1.0.20061217 ... 2.0.206 (131 versions)
H2 Console before 2.1.210 allows remote attackers to execute arbitrary code via a jdbc:h2:mem JDBC URL containing the IGNORE_UNKNOWN_SETTINGS=TRUE;FORBID_CREATION=FALSE;INIT=RUNSCRIPT substring, a different vulnerability than CVE-2021-4239…
CVE-2022-45868HIGHCVSS 8.4EG 8.4✓ Fixed in 2.2.220
2022-11-23
vulnerable: 1.4.198 ... 2.1.214 (9 versions)
The web-based admin console in H2 Database Engine before 2.2.220 can be started via the CLI with the argument -webAdminPassword, which allows the user to specify the password in cleartext for the web admin console. Consequently, a local us…

Check whether com.h2database:h2 is used in your infrastructure

EchelonGraph scans your cloud and SBOMs to map every package to your actual deployments. See blast radius for com.h2database:h2 CVEs against the assets you own.

Start Free Scan →