Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

debian логотип

CVE-2021-42392

Опубликовано: 10 янв. 2022
Источник: debian
EPSS Критический

Описание

The org.h2.util.JdbcUtils.getConnection method of the H2 database takes as parameters the class name of the driver and URL of the database. An attacker may pass a JNDI driver name and a URL leading to a LDAP or RMI servers, causing remote code execution. This can be exploited through various attack vectors, most notably through the H2 Console which leads to unauthenticated remote code execution.

Пакеты

ПакетСтатусВерсия исправленияРелизТип
h2databasefixed2.1.210-1package

Примечания

  • https://github.com/h2database/h2database/security/advisories/GHSA-h376-j262-vhq6

  • https://jfrog.com/blog/the-jndi-strikes-back-unauthenticated-rce-in-h2-database-console/

  • Fixed by https://github.com/h2database/h2database/commit/41dd2a4cf89da9dd18239debbf73f88da6184ec7

  • https://github.com/h2database/h2database/commit/956c6241868332c5b440f5d55ea8fdc1e51ae4fd

EPSS

Процентиль: 100%
0.90773
Критический

Связанные уязвимости

ubuntu логотип

CVE-2021-42392

CVSS3: 9.8
ubuntu
около 4 лет назад

The org.h2.util.JdbcUtils.getConnection method of the H2 database takes as parameters the class name of the driver and URL of the database. An attacker may pass a JNDI driver name and a URL leading to a LDAP or RMI servers, causing remote code execution. This can be exploited through various attack vectors, most notably through the H2 Console which leads to unauthenticated remote code execution.

redhat логотип

CVE-2021-42392

CVSS3: 9.8
redhat
около 4 лет назад

The org.h2.util.JdbcUtils.getConnection method of the H2 database takes as parameters the class name of the driver and URL of the database. An attacker may pass a JNDI driver name and a URL leading to a LDAP or RMI servers, causing remote code execution. This can be exploited through various attack vectors, most notably through the H2 Console which leads to unauthenticated remote code execution.

nvd логотип

CVE-2021-42392

CVSS3: 9.8
nvd
около 4 лет назад

The org.h2.util.JdbcUtils.getConnection method of the H2 database takes as parameters the class name of the driver and URL of the database. An attacker may pass a JNDI driver name and a URL leading to a LDAP or RMI servers, causing remote code execution. This can be exploited through various attack vectors, most notably through the H2 Console which leads to unauthenticated remote code execution.

github логотип

GHSA-h376-j262-vhq6

CVSS3: 9.8
github
около 4 лет назад

RCE in H2 Console

fstec логотип

BDU:2022-00195

CVSS3: 9.8
fstec
около 4 лет назад

Уязвимость метода org.h2.util.JdbcUtils.getConnection системы управления базами данных H2, позволяющая нарушителю выполнить произвольный код

EPSS

Процентиль: 100%
0.90773
Критический