High Threat Security Alert (A22-01-06): Vulnerability in H2 Database Console
10 January 2022
H2 has released a security advisory to address a vulnerability in H2 database console. A remote unauthenticated attacker could perform arbitrary code execution on a vulnerable system by exploiting the vulnerability.
Reports indicate a remote code execution vulnerability (CVE-2021-42392) in H2 database console is at high risk of exploitation. H2 is an open-source Java SQL database widely used in Maven repositories. System administrators are advised to take immediate actions to patch your affected systems to mitigate the elevated risk of cyber attacks.
Systems or applications using H2 database with version prior to 2.0.206 and web-based console enabled
Successful exploitation of the vulnerability could lead to remote code execution on an affected system.
H2 has released new version of the product to address the issue and it can be downloaded at the following URLs:
In addition to in-house and self-developed systems/applications, commercial products and open-source software/libraries may also be affected by the vulnerability. It is recommended to consult product vendors if the used software products are affected and corresponding patches/mitigation measures are available. If so, system administrators should apply the patches or follow the recommendations provided by the product vendors to mitigate the risk.