Improper Input Validation
CVE-2018-10054
Summary
H2 1.4.197 and prior, as used in Datomic before 0.9.5697 and other products, allows unauthenticated users to create a new instance of a H2 database on a remote server. Then the user could use the "CREATE ALIAS" feature to execute arbitrary Java code and achieve remote code execution. This was fixed in version 1.4.198 of H2 by disabling the default creation of a remote database and requiring authentication.
- LOW
- NETWORK
- HIGH
- UNCHANGED
- NONE
- LOW
- HIGH
- HIGH
CWE-20 - Improper Input Validation
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
References
Advisory Timeline
- Published