Vulnerability Description
An issue was discovered in H2 1.4.197. Insecure handling of permissions in the backup function allows attackers to read sensitive files (outside of their permissions) via a symlink to a fake database file.
CVSS Score
6.5
MEDIUM
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| H2Database | H2 | 1.4.197 |
Related Weaknesses (CWE)
References
- https://access.redhat.com/errata/RHSA-2020:0727
- https://gist.github.com/owodelta/9714faf9a86435cef5a99d4930eaee20ExploitThird Party Advisory
- https://lists.apache.org/thread.html/582d4165de6507b0be82d5a6f9a1ce392ec43a00c9f
- https://security.netapp.com/advisory/ntap-20240726-0003/
- https://www.exploit-db.com/exploits/45105/ExploitThird Party AdvisoryVDB Entry
- https://access.redhat.com/errata/RHSA-2020:0727
- https://gist.github.com/owodelta/9714faf9a86435cef5a99d4930eaee20ExploitThird Party Advisory
- https://lists.apache.org/thread.html/582d4165de6507b0be82d5a6f9a1ce392ec43a00c9f
- https://security.netapp.com/advisory/ntap-20240726-0003/
- https://www.exploit-db.com/exploits/45105/ExploitThird Party AdvisoryVDB Entry
FAQ
What is CVE-2018-14335?
CVE-2018-14335 is a vulnerability with a CVSS score of 6.5 (MEDIUM). An issue was discovered in H2 1.4.197. Insecure handling of permissions in the backup function allows attackers to read sensitive files (outside of their permissions) via a symlink to a fake database ...
How severe is CVE-2018-14335?
CVE-2018-14335 has been rated MEDIUM with a CVSS base score of 6.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2018-14335?
Check the references section above for vendor advisories and patch information. Affected products include: H2Database H2.