CVE-2021-42392

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2021-42392
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2021-42392.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2021-42392
Aliases
Downstream
Related
Published
2022-01-10T14:10:23.643Z
Modified
2026-04-11T12:38:11.353502Z
Severity
  • 9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
[none]
Details

The org.h2.util.JdbcUtils.getConnection method of the H2 database takes as parameters the class name of the driver and URL of the database. An attacker may pass a JNDI driver name and a URL leading to a LDAP or RMI servers, causing remote code execution. This can be exploited through various attack vectors, most notably through the H2 Console which leads to unauthenticated remote code execution.

Database specific 
{
    "unresolved_ranges": [
        {
            "cpe": "cpe:2.3:a:oracle:communications_cloud_native_core_policy:1.15.0:*:*:*:*:*:*:*",
            "extracted_events": [
                {
                    "last_affected": "1.15.0"
                }
            ],
            "source": "CPE_FIELD"
        },
        {
            "cpe": "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*",
            "extracted_events": [
                {
                    "last_affected": "10.0"
                }
            ],
            "source": "CPE_FIELD"
        },
        {
            "cpe": "cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*",
            "extracted_events": [
                {
                    "last_affected": "11.0"
                }
            ],
            "source": "CPE_FIELD"
        },
        {
            "cpe": "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*",
            "extracted_events": [
                {
                    "last_affected": "9.0"
                }
            ],
            "source": "CPE_FIELD"
        }
    ]
}
References

Affected packages

Git / github.com/h2database/h2database

Affected ranges

Type
GIT
Repo
https://github.com/h2database/h2database
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected
76994fd0ae92cce4660aa10491a7b6bb7680727a
Database specific 
{
    "cpe": "cpe:2.3:a:h2database:h2:*:*:*:*:*:*:*:*",
    "extracted_events": [
        {
            "introduced": "1.1.000"
        },
        {
            "last_affected": "2.0.204"
        }
    ],
    "source": "CPE_FIELD"
}

Affected versions

version-1.*
version-1.4.188
version-1.4.190
version-1.4.192
version-1.4.193
version-1.4.194
version-1.4.195
version-1.4.197
version-1.4.198
version-1.4.199
version-1.4.200
version-2.*
version-2.0.202
version-2.0.204

Database specific

source 
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2021-42392.json"