Bug#1003894: h2database: CVE-2021-42392
Salvatore Bonaccorso
carnil at debian.org
Mon Jan 17 19:39:51 GMT 2022
Source: h2database
Version: 1.4.197-4
Severity: grave
Tags: security upstream
Justification: user security hole
X-Debbugs-Cc: carnil at debian.org, Debian Security Team <team at security.debian.org>
Hi,
The following vulnerability was published for h2database.
CVE-2021-42392[0]:
| The org.h2.util.JdbcUtils.getConnection method of the H2 database
| takes as parameters the class name of the driver and URL of the
| database. An attacker may pass a JNDI driver name and a URL leading to
| a LDAP or RMI servers, causing remote code execution. This can be
| exploited through various attack vectors, most notably through the H2
| Console which leads to unauthenticated remote code execution.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2021-42392
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42392
[1] https://github.com/h2database/h2database/security/advisories/GHSA-h376-j262-vhq6
[2] https://jfrog.com/blog/the-jndi-strikes-back-unauthenticated-rce-in-h2-database-console/
Regards,
Salvatore
More information about the pkg-java-maintainers
mailing list