Login Sign Up

CVE-2022-23221

9.8 CRITICAL
Remote Code Execution

📋 TL;DR

This vulnerability allows remote attackers to execute arbitrary code on H2 Database Console by exploiting a flaw in JDBC URL parsing. Attackers can craft malicious URLs containing INIT=RUNSCRIPT commands to run arbitrary SQL scripts. Any system running H2 Console before version 2.1.210 with the console accessible is affected.

💻 Affected Systems

Products:
  • H2 Database Console
Versions: All versions before 2.1.210
Operating Systems: All operating systems running H2 Console
Default Config Vulnerable: ⚠️ Yes
Notes: The vulnerability affects the H2 Console web interface, not the database engine itself. Default configurations with console enabled are vulnerable.

📦 What is this software?

Communications Cloud Native Core Console by Oracle

View all CVEs affecting Communications Cloud Native Core Console →

Debian Linux by Debian

View all CVEs affecting Debian Linux →

Debian Linux by Debian

View all CVEs affecting Debian Linux →

Debian Linux by Debian

View all CVEs affecting Debian Linux →

H2 by H2database

View all CVEs affecting H2 →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise with remote code execution leading to data theft, ransomware deployment, or lateral movement across the network.

🟠

Likely Case

Database compromise allowing data exfiltration, privilege escalation, or deployment of backdoors for persistent access.

🟢

If Mitigated

Limited impact if console is not exposed or properly secured with authentication and network controls.

🌐 Internet-Facing: HIGH - Remote code execution with no authentication required makes internet-facing instances extremely vulnerable.
🏢 Internal Only: HIGH - Even internally, this provides attackers with powerful code execution capabilities once network access is obtained.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: CONFIRMED
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploit code is publicly available and requires minimal technical skill to execute. The attack can be performed through web requests to the console endpoint.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.1.210 and later

Vendor Advisory: https://github.com/h2database/h2database/security/advisories

Restart Required: Yes

Instructions:

1. Download H2 Database version 2.1.210 or later from official sources. 2. Stop the H2 Console service. 3. Replace the existing H2 JAR files with the updated version. 4. Restart the H2 Console service. 5. Verify the version is 2.1.210 or higher.

🔧 Temporary Workarounds

Disable H2 Console

all

Completely disable the H2 Console web interface if not required for operations.

Stop the H2 Console service or remove/disable the console component from your deployment.

Network Access Controls

all

Restrict network access to the H2 Console using firewall rules or network segmentation.

Configure firewall to allow only trusted IP addresses to access the H2 Console port (default 8082).

🧯 If You Can't Patch

  • Implement strict network segmentation and firewall rules to isolate H2 Console from untrusted networks.
  • Deploy a web application firewall (WAF) with rules to block malicious JDBC URL patterns containing INIT=RUNSCRIPT.

🔍 How to Verify

Check if Vulnerable:

Check if H2 Console is accessible on port 8082 (default) and if the version is below 2.1.210. Access the console web interface and check the version in the footer or about page.

Check Version:

java -cp h2*.jar org.h2.tools.Server -? | grep -i version

Verify Fix Applied:

After patching, verify the console shows version 2.1.210 or higher. Test that malicious JDBC URLs with INIT=RUNSCRIPT no longer execute arbitrary commands.

📡 Detection & Monitoring

Log Indicators:

  • JDBC connection attempts with INIT=RUNSCRIPT in URL
  • Unusual SQL execution patterns from console interface
  • Multiple failed login attempts to console

Network Indicators:

  • HTTP POST requests to /console/login.do with malicious JDBC URLs
  • Traffic to H2 Console port (default 8082) from unexpected sources

SIEM Query:

source="h2-console.log" AND ("INIT=RUNSCRIPT" OR "jdbc:h2:mem:")

📊 Metadata

CVE ID: CVE-2022-23221
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-88
Published: January 19, 2022
Last Updated: May 5, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-23221, you might also want to check these:

CVE-2023-6269 10.0

An argument injection vulnerability in Atos Unify OpenScape SBC, Branch, and BCF products allows una...

Same vulnerability type (CWE-88)
CVE-2024-47553 9.9

This vulnerability in Siemens SINEC Security Monitor allows authenticated low-privileged remote atta...

Same vulnerability type (CWE-88)
CVE-2024-39930 9.9

This vulnerability allows authenticated attackers to execute arbitrary code on Gogs servers by explo...

Same vulnerability type (CWE-88)