H2 vulnerability root cause similar to Log4Shell, less exploitation scope Like Log4Shell, the flaw (CVE-2021-42392) relates to Java Naming and Directory Interface (JNDI) remote class loading.

JFrog explained that the Java Naming and Directory Interface (JNDI) is an API that provides naming and directory functionality for Java applications. H2 is a widely-used open-source Java SQL ...

That allows for Java code injection of remote code execution. There are a number of attack vectors that could be used to exploit the vulnerability, the most severe being through the H2 console.

On that point, the JFrog team recommends that all users of the H2 database to upgrade to version 2.0.206, which fixes CVE-2021-42392 by limiting JNDI URLs to use the local java protocol only ...

IT administrators with the open-source Java-based H2 SQL database in their environments are being urged to update to the latest version after the discovery of an "extremely critical" vulnerability ...