VulnerableCode Package Details - pkg:maven/com.h2database/h2@1.4.200

Search for packages

Vulnerability	Summary	Fixed by
VCID-6tyr-1gfy-fua1 Aliases: CVE-2022-23221 GHSA-45hx-wfhj-473x	Improper Control of Generation of Code ('Code Injection') H2 Console before 2.1.210 allows remote attackers to execute arbitrary code via a jdbc:h2:mem JDBC URL containing the IGNORE_UNKNOWN_SETTINGS=TRUE;FORBID_CREATION=FALSE;INIT=RUNSCRIPT substring, a different vulnerability than CVE-2021-42392.	2.1.210 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }}
VCID-ahev-cr9q-g3d3 Aliases: CVE-2022-45868 GHSA-22wj-vf5f-wrvj	Password exposure in H2 Database The web-based admin console in H2 Database Engine through 2.1.214 can be started via the CLI with the argument -webAdminPassword, which allows the user to specify the password in cleartext for the web admin console. Consequently, a local user (or an attacker that has obtained local access through some means) would be able to discover the password by listing processes and their arguments. NOTE: the vendor states "This is not a vulnerability of H2 Console ... Passwords should never be passed on the command line and every qualified DBA or system administrator is expected to know that."	2.2.220 Affected by 0 other vulnerabilities.
VCID-furu-at6b-nbez Aliases: CVE-2021-23463 GHSA-7rpj-hg47-cx62	Improper Restriction of XML External Entity Reference The package com.h2database:h2 from 1.4.198 and before 2.0.202 are vulnerable to XML External Entity (XXE) Injection via the org.h2.jdbc.JdbcSQLXML class object, when it receives parsed string data from org.h2.jdbc.JdbcResultSet.getSQLXML() method. If it executes the getSource() method when the parameter is DOMSource.class it will trigger the vulnerability.	2.0.202 Affected by 3 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-jstt-6zs3-ybew Aliases: CVE-2021-42392 GHSA-h376-j262-vhq6 GMS-2022-7	Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in com.h2database:h2.	2.0.206 Affected by 2 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}

Vulnerability

Summary

Fixed by

VCID-6tyr-1gfy-fua1
Aliases:
CVE-2022-23221
GHSA-45hx-wfhj-473x

Improper Control of Generation of Code ('Code Injection') H2 Console before 2.1.210 allows remote attackers to execute arbitrary code via a jdbc:h2:mem JDBC URL containing the IGNORE_UNKNOWN_SETTINGS=TRUE;FORBID_CREATION=FALSE;INIT=RUNSCRIPT substring, a different vulnerability than CVE-2021-42392.

2.1.210
Affected by 1 other vulnerability.

VCID-ahev-cr9q-g3d3
Aliases:
CVE-2022-45868
GHSA-22wj-vf5f-wrvj

Password exposure in H2 Database The web-based admin console in H2 Database Engine through 2.1.214 can be started via the CLI with the argument -webAdminPassword, which allows the user to specify the password in cleartext for the web admin console. Consequently, a local user (or an attacker that has obtained local access through some means) would be able to discover the password by listing processes and their arguments. NOTE: the vendor states "This is not a vulnerability of H2 Console ... Passwords should never be passed on the command line and every qualified DBA or system administrator is expected to know that."

2.2.220
Affected by 0 other vulnerabilities.

VCID-furu-at6b-nbez
Aliases:
CVE-2021-23463
GHSA-7rpj-hg47-cx62

Improper Restriction of XML External Entity Reference The package com.h2database:h2 from 1.4.198 and before 2.0.202 are vulnerable to XML External Entity (XXE) Injection via the org.h2.jdbc.JdbcSQLXML class object, when it receives parsed string data from org.h2.jdbc.JdbcResultSet.getSQLXML() method. If it executes the getSource() method when the parameter is DOMSource.class it will trigger the vulnerability.

2.0.202
Affected by 3 other vulnerabilities.

VCID-jstt-6zs3-ybew
Aliases:
CVE-2021-42392
GHSA-h376-j262-vhq6
GMS-2022-7

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in com.h2database:h2.

2.0.206
Affected by 2 other vulnerabilities.

Vulnerability	Summary	Aliases
This package is not known to fix vulnerabilities.

Vulnerability

Summary

Aliases

This package is not known to fix vulnerabilities.

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-04-16T21:37:53.003378+00:00	GitLab Importer	Affected by	VCID-6tyr-1gfy-fua1	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/com.h2database/h2/CVE-2022-23221.yml	38.4.0
2026-04-16T21:36:58.427057+00:00	GitLab Importer	Affected by	VCID-jstt-6zs3-ybew	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/com.h2database/h2/GMS-2022-7.yml	38.4.0
2026-04-16T21:36:34.641928+00:00	GitLab Importer	Affected by	VCID-furu-at6b-nbez	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/com.h2database/h2/CVE-2021-23463.yml	38.4.0
2026-04-16T02:40:25.559878+00:00	GHSA Importer	Affected by	VCID-ahev-cr9q-g3d3	https://github.com/advisories/GHSA-22wj-vf5f-wrvj	38.4.0
2026-04-11T22:52:12.945440+00:00	GitLab Importer	Affected by	VCID-6tyr-1gfy-fua1	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/com.h2database/h2/CVE-2022-23221.yml	38.3.0
2026-04-11T22:50:55.452391+00:00	GitLab Importer	Affected by	VCID-jstt-6zs3-ybew	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/com.h2database/h2/GMS-2022-7.yml	38.3.0
2026-04-11T22:50:20.458069+00:00	GitLab Importer	Affected by	VCID-furu-at6b-nbez	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/com.h2database/h2/CVE-2021-23463.yml	38.3.0
2026-04-11T14:06:33.072509+00:00	GHSA Importer	Affected by	VCID-ahev-cr9q-g3d3	https://github.com/advisories/GHSA-22wj-vf5f-wrvj	38.3.0
2026-04-02T23:01:37.559640+00:00	GitLab Importer	Affected by	VCID-6tyr-1gfy-fua1	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/com.h2database/h2/CVE-2022-23221.yml	38.1.0
2026-04-02T23:00:19.098885+00:00	GitLab Importer	Affected by	VCID-jstt-6zs3-ybew	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/com.h2database/h2/GMS-2022-7.yml	38.1.0
2026-04-02T22:59:44.480434+00:00	GitLab Importer	Affected by	VCID-furu-at6b-nbez	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/com.h2database/h2/CVE-2021-23463.yml	38.1.0
2026-04-02T14:51:53.968742+00:00	GHSA Importer	Affected by	VCID-ahev-cr9q-g3d3	https://github.com/advisories/GHSA-22wj-vf5f-wrvj	38.1.0
2026-04-01T17:20:28.460060+00:00	GitLab Importer	Affected by	VCID-6tyr-1gfy-fua1	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/com.h2database/h2/CVE-2022-23221.yml	38.0.0
2026-04-01T17:19:04.247489+00:00	GitLab Importer	Affected by	VCID-jstt-6zs3-ybew	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/com.h2database/h2/GMS-2022-7.yml	38.0.0
2026-04-01T17:18:28.584127+00:00	GitLab Importer	Affected by	VCID-furu-at6b-nbez	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/com.h2database/h2/CVE-2021-23463.yml	38.0.0