CVE-2021-42392
Publication date 10 January 2022
Last updated 22 July 2025
Ubuntu priority
Description
The org.h2.util.JdbcUtils.getConnection method of the H2 database takes as parameters the class name of the driver and URL of the database. An attacker may pass a JNDI driver name and a URL leading to a LDAP or RMI servers, causing remote code execution. This can be exploited through various attack vectors, most notably through the H2 Console which leads to unauthenticated remote code execution.
Status
| Package | Ubuntu Release | Status |
|---|---|---|
| h2database | 24.04 LTS noble |
Not affected
|
| 22.04 LTS jammy |
Fixed 2.1.210+really1.4.197-1
|
|
| 20.04 LTS focal |
Fixed 1.4.197-4+deb10u1build0.20.04.1
|
|
| 18.04 LTS bionic |
Fixed 1.4.196-2ubuntu0.1~esm1
|
|
| 16.04 LTS xenial |
Fixed 1.4.191-1ubuntu0.1~esm1
|
|
| 14.04 LTS trusty | Ignored end of standard support |
Get expanded security coverage with Ubuntu Pro
Reduce your average CVE exposure time from 98 days to 1 day with expanded CVE patching, ten-years security maintenance and optional support for the full stack of open-source applications. Free for personal use.
Get Ubuntu Pro 30-day free trialSeverity score breakdown
| Parameter | Value |
|---|---|
| Base score |
9.8 · Critical
|
| Attack vector | Network |
| Attack complexity | Low |
| Privileges required | None |
| User interaction | None |
| Scope | Unchanged |
| Confidentiality | High |
| Integrity impact | High |
| Availability impact | High |
| Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
References
Related Ubuntu Security Notices (USN)
- USN-5365-1
- H2 vulnerabilities
- 5 April 2022
- USN-6834-1
- H2 vulnerabilities
- 13 June 2024