VulnerableCode Package Details - pkg:maven/com.h2database/h2@2.1.210

Search for packages

Vulnerability	Summary	Fixed by
VCID-ahev-cr9q-g3d3 Aliases: CVE-2022-45868 GHSA-22wj-vf5f-wrvj	Password exposure in H2 Database The web-based admin console in H2 Database Engine through 2.1.214 can be started via the CLI with the argument -webAdminPassword, which allows the user to specify the password in cleartext for the web admin console. Consequently, a local user (or an attacker that has obtained local access through some means) would be able to discover the password by listing processes and their arguments. NOTE: the vendor states "This is not a vulnerability of H2 Console ... Passwords should never be passed on the command line and every qualified DBA or system administrator is expected to know that."	2.2.220 Affected by 0 other vulnerabilities.

Vulnerability

Summary

Fixed by

VCID-ahev-cr9q-g3d3
Aliases:
CVE-2022-45868
GHSA-22wj-vf5f-wrvj

Password exposure in H2 Database The web-based admin console in H2 Database Engine through 2.1.214 can be started via the CLI with the argument -webAdminPassword, which allows the user to specify the password in cleartext for the web admin console. Consequently, a local user (or an attacker that has obtained local access through some means) would be able to discover the password by listing processes and their arguments. NOTE: the vendor states "This is not a vulnerability of H2 Console ... Passwords should never be passed on the command line and every qualified DBA or system administrator is expected to know that."

2.2.220
Affected by 0 other vulnerabilities.

Vulnerability	Summary	Aliases
VCID-6tyr-1gfy-fua1	Improper Control of Generation of Code ('Code Injection') H2 Console before 2.1.210 allows remote attackers to execute arbitrary code via a jdbc:h2:mem JDBC URL containing the IGNORE_UNKNOWN_SETTINGS=TRUE;FORBID_CREATION=FALSE;INIT=RUNSCRIPT substring, a different vulnerability than CVE-2021-42392.	CVE-2022-23221 GHSA-45hx-wfhj-473x

Vulnerability

Summary

Aliases

VCID-6tyr-1gfy-fua1

Improper Control of Generation of Code ('Code Injection') H2 Console before 2.1.210 allows remote attackers to execute arbitrary code via a jdbc:h2:mem JDBC URL containing the IGNORE_UNKNOWN_SETTINGS=TRUE;FORBID_CREATION=FALSE;INIT=RUNSCRIPT substring, a different vulnerability than CVE-2021-42392.

CVE-2022-23221
GHSA-45hx-wfhj-473x

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-04-16T21:37:53.009569+00:00	GitLab Importer	Fixing	VCID-6tyr-1gfy-fua1	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/com.h2database/h2/CVE-2022-23221.yml	38.4.0
2026-04-16T02:40:25.574806+00:00	GHSA Importer	Affected by	VCID-ahev-cr9q-g3d3	https://github.com/advisories/GHSA-22wj-vf5f-wrvj	38.4.0
2026-04-11T22:52:12.959500+00:00	GitLab Importer	Fixing	VCID-6tyr-1gfy-fua1	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/com.h2database/h2/CVE-2022-23221.yml	38.3.0
2026-04-11T14:06:33.088751+00:00	GHSA Importer	Affected by	VCID-ahev-cr9q-g3d3	https://github.com/advisories/GHSA-22wj-vf5f-wrvj	38.3.0
2026-04-02T23:01:37.572801+00:00	GitLab Importer	Fixing	VCID-6tyr-1gfy-fua1	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/com.h2database/h2/CVE-2022-23221.yml	38.1.0
2026-04-02T14:51:53.984058+00:00	GHSA Importer	Affected by	VCID-ahev-cr9q-g3d3	https://github.com/advisories/GHSA-22wj-vf5f-wrvj	38.1.0
2026-04-01T15:59:22.453582+00:00	GHSA Importer	Fixing	VCID-6tyr-1gfy-fua1	https://github.com/advisories/GHSA-45hx-wfhj-473x	38.0.0
2026-04-01T13:05:43.472546+00:00	GithubOSV Importer	Fixing	VCID-6tyr-1gfy-fua1	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/01/GHSA-45hx-wfhj-473x/GHSA-45hx-wfhj-473x.json	38.0.0
2026-04-01T12:49:19.254990+00:00	GitLab Importer	Fixing	VCID-6tyr-1gfy-fua1	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/com.h2database/h2/CVE-2022-23221.yml	38.0.0