JNDI-Related Vulnerability Discovered in H2 Database Console | JFrog

The JNDI Strikes Back – Unauthenticated RCE in H2 Database Console

Update 07/01/22 – Added credit to researcher @pyn3rd for similar independent previous findings in Acknowledgements section Update 4/30/26 – Since this post was published, a second critical RCE vulnerability was discovered in H2 Console: CVE-2022-23221 (CVSS 9.8), which exploits malicious JDBC URLs. It was fixed in H2 version 2.1.210. We recommend upgrading to the latest … Continue reading The JNDI Strikes Back – Unauthenticated RCE in H2 Database Console

JFrog