Skip to main content

Improper Input Validation

CVE-2018-10054

Severity High
Score 8.8/10

Summary

H2 1.4.197 and prior, as used in Datomic before 0.9.5697 and other products, allows unauthenticated users to create a new instance of a H2 database on a remote server. Then the user could use the "CREATE ALIAS" feature to execute arbitrary Java code and achieve remote code execution. This was fixed in version 1.4.198 of H2 by disabling the default creation of a remote database and requiring authentication.

  • LOW
  • NETWORK
  • HIGH
  • UNCHANGED
  • NONE
  • LOW
  • HIGH
  • HIGH

CWE-20 - Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

Advisory Timeline

  • Published