CVE-2022-23221
Published: 19 January 2022
Summary
CVE-2022-23221 is a critical-severity Argument Injection (CWE-88) vulnerability in Debian Debian Linux. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 3.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
The vulnerability affects the H2 Console in versions prior to 2.1.210 and stems from insufficient validation of JDBC connection URLs. Attackers can supply a jdbc:h2:mem URL containing the parameters IGNORE_UNKNOWN_SETTINGS=TRUE;FORBID_CREATION=FALSE;INIT=RUNSCRIPT to trigger arbitrary code execution during console initialization. This issue is tracked as CWE-88 and carries a CVSS 3.1 score of 9.8.
Unauthenticated remote attackers with network access to the H2 Console can exploit the flaw by submitting the malicious JDBC URL, resulting in full compromise of the confidentiality, integrity, and availability of the host system. No user interaction or credentials are required.
The H2 project addressed the issue in release 2.1.210, with corresponding updates published through its GitHub security advisories and release notes. Debian subsequently issued patched packages for affected LTS distributions.
The associated EPSS score has remained flat at its peak value of 0.2657 since disclosure, indicating no material increase in observed exploitation interest.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-0440
Vulnerability details
H2 Console before 2.1.210 allows remote attackers to execute arbitrary code via a jdbc:h2:mem JDBC URL containing the IGNORE_UNKNOWN_SETTINGS=TRUE;FORBID_CREATION=FALSE;INIT=RUNSCRIPT substring, a different vulnerability than CVE-2021-42392.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.