CVE-2018-10054
Description
H2 1.4.197, as used in Datomic before 0.9.5697 and other products, allows remote code execution because CREATE ALIAS can execute arbitrary Java code. NOTE: the vendor's position is "h2 is not designed to be run outside of a secure environment."
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
H2 database 1.4.197 (and others) allows remote code execution via CREATE ALIAS in the web console without authentication, enabling arbitrary Java code execution.
Vulnerability
H2 database version 1.4.197, as used in Datomic before 0.9.5697 and other products, allows remote code execution through the CREATE ALIAS feature, which can execute arbitrary Java code [1]. The web console, by default, does not require authentication, making this attack vector accessible to anyone with network access [2].
Exploitation
An attacker needs network access to the H2 web console (typically on port 8082). No authentication is required by default. The attacker can log in and execute SQL commands: CREATE ALIAS SHELLEXEC AS $$ String shellexec(String cmd) throws java.io.IOException { ... } $$; followed by CALL SHELLEXEC('command') to execute arbitrary system commands [2].
Impact
Successful exploitation results in remote code execution with the privileges of the H2 database process. This can lead to full system compromise, including data exfiltration, installation of malware, or lateral movement within the network [2].
Mitigation
The vendor's position is that H2 is not designed for untrusted environments [1]. Mitigations include setting a strong password for the database, restricting access to the web console to localhost only, or disabling the web console entirely [3]. Datomic fixed the issue in version 0.9.5697 [1]. No CISA KEV listing exists. As of now, no official patch from H2 is available because the behavior is considered a feature, not a bug.
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
com.datomic:datomic-freeMaven | < 0.9.5697 | 0.9.5697 |
Affected products
2Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
16- www.exploit-db.com/exploits/44422/mitreexploit
- github.com/advisories/GHSA-9pf8-qqhm-7w64ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2018-10054ghsaADVISORY
- blog.datomic.com/2018/03/important-security-update.htmlghsaWEB
- forum.datomic.com/t/important-security-update-0-9-5697/379ghsaWEB
- github.com/h2database/h2database/issues/1225ghsaWEB
- github.com/h2database/h2database/issues/1808ghsaWEB
- github.com/h2database/h2database/issues/3099ghsaWEB
- lists.apache.org/thread.html/582d4165de6507b0be82d5a6f9a1ce392ec43a00c9fed32bacf7fe1e%40%3Cuser.ignite.apache.org%3Eghsamailing-listWEB
- lists.apache.org/thread.html/582d4165de6507b0be82d5a6f9a1ce392ec43a00c9fed32bacf7fe1e@%3Cuser.ignite.apache.org%3EghsaWEB
- lists.apache.org/thread.html/r8aaf4ee16bbaf6204731d4770d96ebb34b258cd79b491f9cdd7f2540%40%3Ccommits.nifi.apache.org%3Eghsamailing-listWEB
- lists.apache.org/thread.html/r8aaf4ee16bbaf6204731d4770d96ebb34b258cd79b491f9cdd7f2540@%3Ccommits.nifi.apache.org%3EghsaWEB
- mthbernardes.github.io/rce/2018/03/14/abusing-h2-database-alias.htmlghsaWEB
- security.netapp.com/advisory/ntap-20240719-0003ghsaWEB
- www.exploit-db.com/exploits/44422ghsaWEB
- security.netapp.com/advisory/ntap-20240719-0003/mitre
News mentions
0No linked articles in our index yet.