What is CVE-2021-42392?

CVE-2021-42392 is a vulnerability in H2database H2, classified under Deserialization of Untrusted Data. Published 2022-01-07.

Is CVE-2021-42392 known to be exploited?

40 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.

Deserialization in H2database H2

CVE-2021-42392

The org.h2.util.JdbcUtils.getConnection method of the H2 database takes as parameters the class name of the driver and URL of the database. An attacker may pass a JNDI driver name and a URL leading to a LDAP or RMI servers, causing remote…

Vulnerability class: Insecure Deserialization

EPSS: 0.906 (99.6th percentile) — read the EPSS interpretation.

Affected products

H2database H2 — versions 1.1.000

Weakness classification (CWE)

CWE-502 — Deserialization of Untrusted Data

Public proof-of-concept exploits

Be-Innova/CVE-2021-42392-exploit-lab
ARPSyndicate/cvemon
J1ezds/Vulnerability-Wiki-page
LXGaming/Agent
NaInSec/CVE-PoC-in-GitHub
PuddinCat/GithubRepoSpider
RunCor399/Project_
SYRTI/POC_
Threekiii/Awesome-POC
WhooAmii/POC_

References

github.com/h2database/h2database/security/advisories/GHSA-h376-j262-vhq6
[debian-lts-announce] 20220215 [SECURITY] [DLA 2923-1] h2database security update (mailing-list)
DSA-5076 (vendor-advisory)
www.oracle.com/security-alerts/cpuapr2022.html
jfrog.com/blog/the-jndi-strikes-back-unauthenticated-rce-in-h2-database-console/
security.netapp.com/advisory/ntap-20220119-0001/
www.secpod.com/blog/log4shell-critical-remote-code-execution-vulnerability-in-h…

Frequently asked questions

What is CVE-2021-42392?: CVE-2021-42392 is a vulnerability in H2database H2, classified under Deserialization of Untrusted Data. Published 2022-01-07.
Is CVE-2021-42392 known to be exploited?: 40 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.