CVSS: 6.5EPSS: 1%CPEs: 1EXPL: 2CVE-2018-14335 – H2 Database 1.4.197 - Information Disclosure
https://notcve.org/view.php?id=CVE-2018-14335
An issue was discovered in H2 1.4.197. Insecure handling of permissions in the backup function allows attackers to read sensitive files (outside of their permissions) via a symlink to a fake database file. Se ha descubierto un problema en H2 1.4.197. La manipulación incorrecta de permisos en la función backup permite que los atacantes lean archivos sensibles (fuera de sus permisos) mediante un vínculo simbólico a un archivo falso de base de datos. H2 Database version 1.4.197 suffers from an information disclosure vulnerability. • https://www.exploit-db.com/exploits/45105 https://access.redhat.com/errata/RHSA-2020:0727 https://gist.github.com/owodelta/9714faf9a86435cef5a99d4930eaee20 https://lists.apache.org/thread.html/582d4165de6507b0be82d5a6f9a1ce392ec43a00c9fed32bacf7fe1e%40%3Cuser.ignite.apache.org%3E https://security.netapp.com/advisory/ntap-20240726-0003 https://access.redhat.com/security/cve/CVE-2018-14335 https://bugzilla.redhat.com/show_bug.cgi?id=1610877 • CWE-59: Improper Link Resolution Before File Access ('Link Following') CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-276: Incorrect Default Permissions •
CVSS: 8.8EPSS: 26%CPEs: 2EXPL: 1CVE-2018-10054
https://notcve.org/view.php?id=CVE-2018-10054
H2 1.4.197, as used in Datomic before 0.9.5697 and other products, allows remote code execution because CREATE ALIAS can execute arbitrary Java code. NOTE: the vendor's position is "h2 is not designed to be run outside of a secure environment." H2 1.4.197, tal y como se usa en Datomic en versiones anteriores a la 0.9.5697 y en otros productos, permite que se ejecute código de manera remota, ya que CREATE ALIAS puede ejecutar código Java arbitrario. • http://blog.datomic.com/2018/03/important-security-update.html https://forum.datomic.com/t/important-security-update-0-9-5697/379 https://github.com/h2database/h2database/issues/1225 https://github.com/h2database/h2database/issues/1808#issuecomment-599203115 https://github.com/h2database/h2database/issues/3099 https://lists.apache.org/thread.html/582d4165de6507b0be82d5a6f9a1ce392ec43a00c9fed32bacf7fe1e%40%3Cuser.ignite.apache.org%3E https://lists.apache.org/thread.html/r8aaf4ee16bbaf6204731d4770d96ebb34b258cd79b491f9cdd7f2540%40%3Ccommits • CWE-20: Improper Input Validation •