Home > Vulnerability Database > CVE-2018-10054

Mend.io Vulnerability Database

CVE-2018-10054

Good to know:

Date: April 10, 2018

H2 1.4.197, as used in Datomic before 0.9.5697 and other products, allows remote code execution because CREATE ALIAS can execute arbitrary Java code. NOTE: the vendor's position is "h2 is not designed to be run outside of a secure environment."

Language: Java

Severity Score

8.8

Related Resources (16)

Url: https://lists.apache.org/thread.html/582d4165de6507b0be82d5a6f9a1ce392ec43a00c9fed32bacf7fe1e@%3Cuser.ignite.apache.org%3E

Url: https://nvd.nist.gov/vuln/detail/CVE-2018-10054

Url: https://github.com/h2database/h2database/issues/3099

Url: https://github.com/h2database/h2database/issues/1225

Url: https://www.exploit-db.com/exploits/44422/

Url: https://www.exploit-db.com/exploits/44422

Url: https://lists.apache.org/thread.html/r8aaf4ee16bbaf6204731d4770d96ebb34b258cd79b491f9cdd7f2540%40%3Ccommits.nifi.apache.org%3E

Url: https://lists.apache.org/thread.html/r8aaf4ee16bbaf6204731d4770d96ebb34b258cd79b491f9cdd7f2540@%3Ccommits.nifi.apache.org%3E

Url: https://forum.datomic.com/t/important-security-update-0-9-5697/379

Url: https://security.netapp.com/advisory/ntap-20240719-0003

Url: http://blog.datomic.com/2018/03/important-security-update.html

Url: https://lists.apache.org/thread.html/582d4165de6507b0be82d5a6f9a1ce392ec43a00c9fed32bacf7fe1e%40%3Cuser.ignite.apache.org%3E

Url: https://security.netapp.com/advisory/ntap-20240719-0003/

Url: https://github.com/h2database/h2database/issues/1808#issuecomment-599203115

Url: https://mthbernardes.github.io/rce/2018/03/14/abusing-h2-database-alias.html

Url: https://www.mend.io/vulnerability-database/CVE-2018-10054

Severity Score

8.8

Weakness Type (CWE)

Improper Input Validation

CWE-20

Top Fix

Upgrade Version

Upgrade to version com.datomic:datomic-free:0.9.5697

Learn More

CVSS v3.1

Base Score:	8.8
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	LOW
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	HIGH
Integrity (I):	HIGH
Availability (A):	HIGH

CVSS v2

Base Score:	6.5
Access Vector (AV):	NETWORK
Access Complexity (AC):	LOW
Authentication (AU):	SINGLE
Confidentiality (C):	PARTIAL
Integrity (I):	PARTIAL
Availability (A):	PARTIAL
Additional information:

Mend.io Vulnerability Database

We found results for “”

CVE-2018-10054

Good to know:

Date: April 10, 2018

Language: Java

Severity Score

Related Resources (16)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

CVSS v2

Do you need more information?