Hi, > unfortunately Sonatype Data Research think otherwise
They are free to discuss this with us of course. I couldn't find "Sonatype CVSS 3:8.0" or "sonatype-2020-1324", do you have a link? Regards, Thomas On Fri, Feb 18, 2022 at 2:53 PM András Vereb <[email protected]> wrote: > Hi Thomas, > > however I agree with you unfortunately Sonatype Data Research think > otherwise as this is marked as vulnerability still and moreover with High > severity (Sonatype CVSS 3:8.0). The problem is that company policies to > conduct an investigation to overrule a potential false positive might be > longer process than simply drop H2 and go for something else. > > Anyway thank you for your comment, it helps to support my point of view > when I need to explain this in detail. > > Regards, > András > > [email protected] a következőt írta (2022. február 17., csütörtök, > 16:45:02 UTC+1): > >> Hi, >> >> Yes, H2 can act as a compiler / interpreter and execute code... Same as >> Java: you can write a Java program that reads and writes files. And same as >> GCC (or any other compiler / interpreter). I wouldn't call this a "Security >> Vulnerability". >> >> > >> https://codewhitesec.blogspot.com/2019/08/exploit-h2-database-native-libraries-jni.html >> >> The blog post makes it look like it was not intended to compile and >> execute code in H2... It is intended! It is part of the expected behavior. >> It is not "Exploiting", it is "Using". I would rename the title to >> >> Using H2 Database to execute code in native libraries and JNI >> >> Regards, >> Thomas >> >> >> >> On Thu, Feb 17, 2022 at 4:33 PM András Vereb <[email protected]> wrote: >> >>> Hi, >>> >>> Is this finding still relevant in 2022 with latest version 2.1.210? >>> code white | Blog: Exploiting H2 Database with native libraries and JNI >>> (codewhitesec.blogspot.com) >>> <https://codewhitesec.blogspot.com/2019/08/exploit-h2-database-native-libraries-jni.html> >>> >>> It is also listed under sonatype-2020-1324 even for latest release. >>> >>> Thank you for any comments! >>> >>> -- >>> You received this message because you are subscribed to the Google >>> Groups "H2 Database" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to [email protected]. >>> To view this discussion on the web visit >>> https://groups.google.com/d/msgid/h2-database/698d9280-52d1-4157-8be1-9a8829a2b90bn%40googlegroups.com >>> <https://groups.google.com/d/msgid/h2-database/698d9280-52d1-4157-8be1-9a8829a2b90bn%40googlegroups.com?utm_medium=email&utm_source=footer> >>> . >>> >> -- > You received this message because you are subscribed to the Google Groups > "H2 Database" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/d/msgid/h2-database/ce6a4b9b-e878-40cb-b3c7-d240751d4776n%40googlegroups.com > <https://groups.google.com/d/msgid/h2-database/ce6a4b9b-e878-40cb-b3c7-d240751d4776n%40googlegroups.com?utm_medium=email&utm_source=footer> > . > -- You received this message because you are subscribed to the Google Groups "H2 Database" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/h2-database/CAKpgiBYQ_cpZ6ehqjR8Wb2TeZYB3ypELJHmdJ2ddqd6kiHNAKQ%40mail.gmail.com.
