[13:11:35] Java 17 already present at /usr/lib/jvm/java-17-openjdk-amd64 [13:11:35] Using JAVA_HOME=/usr/lib/jvm/java-17-openjdk-amd64 (openjdk version "17.0.19" 2026-04-21) [13:11:35] Reusing cached tarball gravitino-1.2.0-bin.tar.gz (954M) [13:11:35] Reusing cached tarball gravitino-1.2.1-bin.tar.gz (821M) [13:11:35] ================ VULNERABLE VERSION 1.2.0 ================ [13:11:35] [vuln] extracting gravitino-1.2.0... [13:11:39] [vuln] server ready after 1s [13:11:39] [vuln] attempt 1: sending malicious testConnection... [13:11:42] [vuln] attempt 1: RCE CONFIRMED (marker created) [13:11:42] [vuln] attempt 2: sending malicious testConnection... [13:11:43] [vuln] attempt 2: RCE CONFIRMED (marker created) [13:11:49] ================ FIXED VERSION 1.2.1 ================ [13:11:49] [fixed] extracting gravitino-1.2.1... [13:11:54] [fixed] server ready after 1s [13:11:54] [fixed] attempt 1: sending same malicious testConnection... [13:11:56] [fixed] attempt 1: exploit blocked (no marker) - checking rejection message... [13:11:56] [fixed] attempt 1: confirmed rejection 'H2 JDBC URL is not allowed' [13:11:56] [fixed] attempt 2: sending same malicious testConnection... [13:11:57] [fixed] attempt 2: exploit blocked (no marker) - checking rejection message... [13:11:57] [fixed] attempt 2: confirmed rejection 'H2 JDBC URL is not allowed' [13:12:03] ================ VERDICT ================ [13:12:03] VULNERABLE (1.2.0) RCE confirmed: true [13:12:03] FIXED (1.2.1) exploit blocked: true [13:12:03] RESULT: confirmed - vulnerable executes attacker code, fixed blocks it