Hi Mike,
Thanks for noting this finding with H2. Unfortunately there are a large
number of dependencies with associated vulnerability findings, many of
which are false positives.
The OWASP suppressions configuration includes a note for this specific
vulnerability:
A colleague found this "CVE" report for H2. I agree with the H2 devs that
it's a big joke of a CVE, but it's something we might want to add something
to the documentation to discuss because it could cause grief for our users.
https://github.com/h2database/h2database/issues/3686
