Thanks for your answer. I know about the vulnerability - I don't even use the console or H2 in production.. but my project has a policy about CVE. This vulnerability is tagged by our CI/CD system and I have to fix it or remove the dependency. I just can't say "it's not exploitable" if the vulnerability scanner tag the cve, the release will not be allowed.
Le lundi 10 janvier 2022 à 16:25:00 UTC+1, Evgenij Ryazanov a écrit : > Hello. > > This vulnerability affects only the H2 Console and it may harm you only if > you run it with -webAllowOthers parameter without additional protection. > You shouldn't do that with any version of H2. > > https://github.com/h2database/h2database/security/advisories/GHSA-h376-j262-vhq6 > It doesn't affect H2 Database in any way. > > H2 since the version 2.0.204 has LEGACY mode, it this mode some (but not > all) wrong commands are allowed, including equality comparisons between > numeric and boolean values. To enable this mode you need to add > ;MODE=LEGACY to JDBC URL. > -- You received this message because you are subscribed to the Google Groups "H2 Database" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/h2-database/04c09a23-ba63-44d5-a5fc-e4b98ff5a17cn%40googlegroups.com.
