CVE-2021-42392

Source
https://nvd.nist.gov/vuln/detail/CVE-2021-42392
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2021-42392.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2021-42392
Aliases
Related
Published
2022-01-10T14:10:23Z
Modified
2024-10-12T08:34:24.529653Z
Severity
  • 9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
[none]
Details

The org.h2.util.JdbcUtils.getConnection method of the H2 database takes as parameters the class name of the driver and URL of the database. An attacker may pass a JNDI driver name and a URL leading to a LDAP or RMI servers, causing remote code execution. This can be exploited through various attack vectors, most notably through the H2 Console which leads to unauthenticated remote code execution.

References

Affected packages

Debian:11 / h2database

Package

Name
h2database
Purl
pkg:deb/debian/h2database?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.4.197-4+deb11u1

Affected versions

1.*

1.4.197-4

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:12 / h2database

Package

Name
h2database
Purl
pkg:deb/debian/h2database?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.1.210-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13 / h2database

Package

Name
h2database
Purl
pkg:deb/debian/h2database?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.1.210-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Git / github.com/h2database/h2database

Affected ranges

Type
GIT
Repo
https://github.com/h2database/h2database
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected

Affected versions

version-1.*

version-1.4.188
version-1.4.190
version-1.4.191
version-1.4.192
version-1.4.193
version-1.4.194
version-1.4.195
version-1.4.196
version-1.4.197
version-1.4.198
version-1.4.199
version-1.4.200

version-2.*

version-2.0.202
version-2.0.204