search cancel

H2 Database Console Remote Code Execution (RCE) Vulnerability (CVE-2021-42392)


Article ID: 241308


Updated On:


Service Virtualization



Vulnerability "H2 Database Console Remote Code Execution (RCE) Vulnerability (CVE-2021-42392)"   highlighted in h2-1.4.178.jar file,  Jar file is available in ..devtest-10.6/lib/

could you please advise me with the steps to fix this vulnerability.




Release : 10.6

Component : DevTest Vulnerability


CVE-2021-42392 vulnerability impacts only H2 databases which are actively using the Web Console and enabled remote access. By default, H2 Console is not enabled and doesn’t accept remote connections. However, in order to enable the H2 console, the administrator must explicitly load it. Also, it’s not possible to access the In-Memory Database Console from another process, unless you start a TCP server in the same process as the database was opened. So, the severity and impact are deemed low for SV.

Furthermore, H2 should be used only for experimental/demo/development purposes. If they are using it in production, please ask them to move to other standard databases.