The org.h2.util.JdbcUtils.getConnection method of the H2 database takes as parameters the class name of the driver and URL of the database. An attacker may pass a JNDI driver name and a URL leading to a LDAP or RMI servers, causing remote code execution. This can be exploited through various attack vectors, most notably through the H2 Console which leads to unauthenticated remote code execution.
Metrics
Affected Vendors & Products
References
History
No history.
MITRE
Status: PUBLISHED
Assigner: JFROG
Published: 2022-01-07T00:00:00
Updated: 2024-08-04T03:30:38.345Z
Reserved: 2021-10-14T00:00:00
Link: CVE-2021-42392
Vulnrichment
No data.
NVD
Status : Modified
Published: 2022-01-10T14:10:23.643
Modified: 2024-11-21T06:27:43.510
Link: CVE-2021-42392
Redhat