H3-2023-0028¶

H2 Embedded Database Misconfiguration

Description¶

H2 Database applications prior to version 1.4.199 allow for the auto creation of databases if they do not exist. Creating an opportunity for RCE.

Impact¶

Affected H2 Databases allow for the automatic and anonymous creation of databases if they do not exist. This combined with access to the H2 Console and the use of 'INIT=RUNSCRIPT FROM' allow for RCE.

References¶

• Make JDBC Attacks Brilliant Again I
• CWE-15: External Control of System or Configuration Setting