Hi Thomas, however I agree with you unfortunately Sonatype Data Research think otherwise as this is marked as vulnerability still and moreover with High severity (Sonatype CVSS 3:8.0). The problem is that company policies to conduct an investigation to overrule a potential false positive might be longer process than simply drop H2 and go for something else.
Anyway thank you for your comment, it helps to support my point of view when I need to explain this in detail. Regards, András [email protected] a következőt írta (2022. február 17., csütörtök, 16:45:02 UTC+1): > Hi, > > Yes, H2 can act as a compiler / interpreter and execute code... Same as > Java: you can write a Java program that reads and writes files. And same as > GCC (or any other compiler / interpreter). I wouldn't call this a "Security > Vulnerability". > > > > https://codewhitesec.blogspot.com/2019/08/exploit-h2-database-native-libraries-jni.html > > The blog post makes it look like it was not intended to compile and > execute code in H2... It is intended! It is part of the expected behavior. > It is not "Exploiting", it is "Using". I would rename the title to > > Using H2 Database to execute code in native libraries and JNI > > Regards, > Thomas > > > > On Thu, Feb 17, 2022 at 4:33 PM András Vereb <[email protected]> wrote: > >> Hi, >> >> Is this finding still relevant in 2022 with latest version 2.1.210? >> code white | Blog: Exploiting H2 Database with native libraries and JNI >> (codewhitesec.blogspot.com) >> <https://codewhitesec.blogspot.com/2019/08/exploit-h2-database-native-libraries-jni.html> >> >> It is also listed under sonatype-2020-1324 even for latest release. >> >> Thank you for any comments! >> >> -- >> You received this message because you are subscribed to the Google Groups >> "H2 Database" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> To view this discussion on the web visit >> https://groups.google.com/d/msgid/h2-database/698d9280-52d1-4157-8be1-9a8829a2b90bn%40googlegroups.com >> >> <https://groups.google.com/d/msgid/h2-database/698d9280-52d1-4157-8be1-9a8829a2b90bn%40googlegroups.com?utm_medium=email&utm_source=footer> >> . >> > -- You received this message because you are subscribed to the Google Groups "H2 Database" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/h2-database/ce6a4b9b-e878-40cb-b3c7-d240751d4776n%40googlegroups.com.
