CVE-2021-42392

Name of the Vulnerable Software and Affected Versions H2 Console versions 1.1.100 through 2.0.204

Description The issue is related to the org.h2.util.JdbcUtils.getConnection method of the H2 database, which takes the class name of the driver and URL of the database as parameters. An attacker may pass a JNDI driver name and a URL leading to a LDAP or RMI server, causing remote code execution. This can be exploited through various attack vectors, most notably through the H2 Console, which leads to unauthenticated remote code execution. The H2 Console doesn't accept remote connections by default, but if remote access was enabled explicitly and some protection method wasn't set, an intruder can load their own custom class and execute its code in a process with H2 Console.

Recommendations For versions 1.1.100 through 2.0.204, consider upgrading to version 2.0.206 or later, where H2 Console and linked tables explicitly forbid attempts to specify LDAP URLs for JNDI. As a temporary workaround, restrict access to the H2 Console to minimize the risk of exploitation. Avoid using the -webAllowOthers setting, as it is considered dangerous. If the H2 Console Servlet is deployed on a web server, protect it with a security constraint. Uncomment and edit <security-role> and <security-constraint> as necessary to ensure proper security settings. At the moment, there is no other information about additional mitigation measures.