QwikSec

Security Database

CVE

CWE

Training

CVE-2021-42392

Published: Jan 7, 2022

Modified: Aug 4, 2024

PUBLISHED

Description

The org.h2.util.JdbcUtils.getConnection method of the H2 database takes as parameters the class name of the driver and URL of the database. An attacker may pass a JNDI driver name and a URL leading to a LDAP or RMI servers, causing remote code execution. This can be exploited through various attack vectors, most notably through the H2 Console which leads to unauthenticated remote code execution.

Vendor	Product	Versions
h2database	h2	affected `1.1.000 - < *`

Weaknesses (CWE)

References

https://github.com/h2database/h2database/security/advisories/GHSA-h376-j262-vhq6

[debian-lts-announce] 20220215 [SECURITY] [DLA 2923-1] h2database security update

mailing-list

vendor-advisory

https://www.oracle.com/security-alerts/cpuapr2022.html

https://jfrog.com/blog/the-jndi-strikes-back-unauthenticated-rce-in-h2-database-console/

https://security.netapp.com/advisory/ntap-20220119-0001/

https://www.secpod.com/blog/log4shell-critical-remote-code-execution-vulnerability-in-h2database-console/

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.