Source: h2database Version: 1.4.197-4 Severity: grave Tags: security upstream Justification: user security hole X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi, The following vulnerability was published for h2database. CVE-2021-42392[0]: | The org.h2.util.JdbcUtils.getConnection method of the H2 database | takes as parameters the class name of the driver and URL of the | database. An attacker may pass a JNDI driver name and a URL leading to | a LDAP or RMI servers, causing remote code execution. This can be | exploited through various attack vectors, most notably through the H2 | Console which leads to unauthenticated remote code execution. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2021-42392 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42392 [1] https://github.com/h2database/h2database/security/advisories/GHSA-h376-j262-vhq6 [2] https://jfrog.com/blog/the-jndi-strikes-back-unauthenticated-rce-in-h2-database-console/ Regards, Salvatore