Hello. H2 is not a secure container. Users with ADMIN privileges may do anything with your JVM and host system as far as your JVM allows by design. If remote database creation is enabled (remote access is completely disabled by default and remote database creation is disabled by default separately since H2 1.4.198), it will create a remote security hole on your system; if you need this feature, you should guard TCP port of H2 and H2 Console by yourself, but usually you should use some other safe way to create a database, you can find them in documentation. And so on. Usually you should use separate users without ADMIN privileges for regular operations.
Unfortunately, some third-party projects include H2 with custom insecure settings into their distributions, such issues should be reported to them instead. There is a possibility that something found by you is not a real vulnerability, but if you think it is or you aren't sure, please report it in a regular issue on GitHub: https://github.com/h2database/h2database/issues If we'll decide to accept such reports privately, we'll create a SECURITY.md file in repository on GitHub with detailed description. -- You received this message because you are subscribed to the Google Groups "H2 Database" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/h2-database/12f45f37-b27a-4ddf-96a2-be580d3ef26fn%40googlegroups.com.
