CVE-2022-23221: 
H2 Database vulnerability analysis and mitigation

H2 Console before version 2.1.210 contains a remote code execution vulnerability (CVE-2022-23221) that allows remote attackers to execute arbitrary code via a jdbc:h2:mem JDBC URL containing the IGNOREUNKNOWNSETTINGS=TRUE;FORBID_CREATION=FALSE;INIT=RUNSCRIPT substring. This vulnerability is distinct from CVE-2021-42392 (NVD, Debian).

The vulnerability has a CVSS v3.1 Base Score of 9.8 (CRITICAL) with vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. The flaw exists in the H2 Console's connection handling functionality, where insufficient validation of JDBC URL parameters allows attackers to execute arbitrary code through specially crafted URLs. The vulnerability is classified under CWE-88 (Improper Neutralization of Argument Delimiters in a Command) (NVD).

Successful exploitation of this vulnerability could lead to disclosure of sensitive information, addition or modification of data, or Denial of Service (DoS). The vulnerability allows attackers to execute arbitrary code with the privileges of the application running the H2 Console (NetApp).

The vulnerability has been fixed in H2 Database version 2.1.210. Organizations are strongly advised to upgrade to this version or later. For systems that cannot be immediately upgraded, it is recommended to disable the H2 Console if not required, as it is primarily a developer tool. Debian has disabled the H2 console in their (old)stable releases as a mitigation measure (Debian).

The vulnerability received significant attention from the security community, with multiple vendors issuing advisories and patches. Oracle included fixes for this vulnerability in their Critical Patch Update Advisory for April 2022. The discovery was publicly disclosed by security researcher Ismail Aydemir (Twitter).