CVE-2021-42392
Description
The org.h2.util.JdbcUtils.getConnection method of the H2 database takes as parameters the class name of the driver and URL of the database. An attacker may pass a JNDI driver name and a URL leading to a LDAP or RMI servers, causing remote code execution. This can be exploited through various attack vectors, most notably through the H2 Console which leads to unauthenticated remote code execution.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Unauthenticated remote code execution in H2 Database Console via JNDI injection in the JdbcUtils.getConnection method.
Vulnerability
The vulnerability resides in the org.h2.util.JdbcUtils.getConnection method of the H2 database. This method accepts the class name of a driver and a database URL as parameters. When an attacker provides a JNDI driver name (a class assignable to javax.naming.Context) and a URL pointing to an attacker-controlled LDAP or RMI server, the method instantiates a JNDI context and calls lookup() on the supplied URL without proper validation [1][4]. This enables JNDI remote class loading, similar to the root cause of Log4Shell (CVE-2021-44228) [1]. All versions prior to the fix are affected; the vulnerability is most notably reachable through the H2 Console, which does not require authentication [1][4].
Exploitation
An attacker does not need any prior authentication or special privileges. The most prominent attack vector is the H2 Console, where a user can supply arbitrary JDBC URL and driver class values [1][4]. By entering a JNDI driver class name (e.g., javax.naming.InitialContext) and a URL such as ldap://attacker-controlled-server/exploit, the H2 server will perform a JNDI lookup to the attacker's server, which can return a remote class that gets executed on the H2 server [1][4]. The lookup happens before username/password validation, so no valid credentials are required [4].
Impact
Successful exploitation allows an unauthenticated remote attacker to achieve full remote code execution (RCE) on the server running the H2 Console [1][4]. The impact is direct: the vulnerable server itself is compromised, granting the attacker the same privileges as the H2 process [1]. This can lead to complete compromise of the application and its data, including information disclosure, data modification, or further lateral movement.
Mitigation
The vulnerability was fixed in H2 version 2.0.206, released on 2022-01-07 [2]. Users should upgrade to at least this version. Note that a subsequent related vulnerability, CVE-2022-23221 (CVSS 9.8), was also discovered and fixed in version 2.1.210 [1]. The latest H2 releases (e.g., 2.3.x) address both issues [1]. No widely reported active exploitation has been observed, though the EPSS score remains high [1]. If upgrading is not immediately possible, restricting network access to the H2 Console is a recommended workaround.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
com.h2database:h2Maven | >= 1.1.100, < 2.0.206 | 2.0.206 |
Affected products
1- Range: 1.1.000
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
13- github.com/advisories/GHSA-h376-j262-vhq6ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-42392ghsaADVISORY
- www.debian.org/security/2022/dsa-5076ghsavendor-advisoryWEB
- github.com/h2database/h2database/releases/tag/version-2.0.206ghsaWEB
- github.com/h2database/h2database/security/advisories/GHSA-h376-j262-vhq6ghsaWEB
- jfrog.com/blog/the-jndi-strikes-back-unauthenticated-rce-in-h2-database-consoleghsaWEB
- lists.debian.org/debian-lts-announce/2022/02/msg00017.htmlghsamailing-listWEB
- security.netapp.com/advisory/ntap-20220119-0001ghsaWEB
- www.oracle.com/security-alerts/cpuapr2022.htmlghsaWEB
- www.secpod.com/blog/log4shell-critical-remote-code-execution-vulnerability-in-h2database-consoleghsaWEB
- jfrog.com/blog/the-jndi-strikes-back-unauthenticated-rce-in-h2-database-console/mitre
- security.netapp.com/advisory/ntap-20220119-0001/mitre
- www.secpod.com/blog/log4shell-critical-remote-code-execution-vulnerability-in-h2database-console/mitre
News mentions
0No linked articles in our index yet.