{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-05-04T00:22:52.775","vulnerabilities":[{"cve":{"id":"CVE-2021-42392","sourceIdentifier":"reefs@jfrog.com","published":"2022-01-10T14:10:23.643","lastModified":"2024-11-21T06:27:43.510","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"The org.h2.util.JdbcUtils.getConnection method of the H2 database takes as parameters the class name of the driver and URL of the database. An attacker may pass a JNDI driver name and a URL leading to a LDAP or RMI servers, causing remote code execution. This can be exploited through various attack vectors, most notably through the H2 Console which leads to unauthenticated remote code execution."},{"lang":"es","value":"El método org.h2.util.JdbcUtils.getConnection de la base de datos H2 toma como parámetros el nombre de la clase del controlador y la URL de la base de datos. Un atacante puede pasar un nombre de controlador JNDI y una URL que conlleve a un servidor LDAP o RMI, causando una ejecución de código remota. Esto puede ser explotado mediante varios vectores de ataque, sobre todo mediante la Consola H2 que conlleva a una ejecución de código remoto no autenticado"}],"metrics":{"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","baseScore":9.8,"baseSeverity":"CRITICAL","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":3.9,"impactScore":5.9}],"cvssMetricV2":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"2.0","vectorString":"AV:N/AC:L/Au:N/C:C/I:C/A:C","baseScore":10.0,"accessVector":"NETWORK","accessComplexity":"LOW","authentication":"NONE","confidentialityImpact":"COMPLETE","integrityImpact":"COMPLETE","availabilityImpact":"COMPLETE"},"baseSeverity":"HIGH","exploitabilityScore":10.0,"impactScore":10.0,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":false}]},"weaknesses":[{"source":"reefs@jfrog.com","type":"Secondary","description":[{"lang":"en","value":"CWE-502"}]},{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"CWE-502"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:h2database:h2:*:*:*:*:*:*:*:*","versionStartIncluding":"1.1.000","versionEndIncluding":"2.0.204","matchCriteriaId":"6770600B-79F8-4C9A-A455-CC0F0604D864"}]}]},{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*","matchCriteriaId":"DEECE5FC-CACF-4496-A3E7-164736409252"},{"vulnerable":true,"criteria":"cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*","matchCriteriaId":"07B237A9-69A3-4A9C-9DA0-4E06BD37AE73"},{"vulnerable":true,"criteria":"cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*","matchCriteriaId":"FA6FEEC2-9F11-4643-8827-749718254FED"}]}]},{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:oracle:communications_cloud_native_core_policy:1.15.0:*:*:*:*:*:*:*","matchCriteriaId":"B4367D9B-BF81-47AD-A840-AC46317C774D"}]}]}],"references":[{"url":"https://github.com/h2database/h2database/security/advisories/GHSA-h376-j262-vhq6","source":"reefs@jfrog.com","tags":["Mitigation","Third Party Advisory"]},{"url":"https://jfrog.com/blog/the-jndi-strikes-back-unauthenticated-rce-in-h2-database-console/","source":"reefs@jfrog.com","tags":["Exploit","Technical Description","Vendor Advisory"]},{"url":"https://lists.debian.org/debian-lts-announce/2022/02/msg00017.html","source":"reefs@jfrog.com","tags":["Mailing List","Third Party Advisory"]},{"url":"https://security.netapp.com/advisory/ntap-20220119-0001/","source":"reefs@jfrog.com","tags":["Third Party Advisory"]},{"url":"https://www.debian.org/security/2022/dsa-5076","source":"reefs@jfrog.com","tags":["Third Party Advisory"]},{"url":"https://www.oracle.com/security-alerts/cpuapr2022.html","source":"reefs@jfrog.com","tags":["Patch","Third Party Advisory"]},{"url":"https://www.secpod.com/blog/log4shell-critical-remote-code-execution-vulnerability-in-h2database-console/","source":"reefs@jfrog.com"},{"url":"https://github.com/h2database/h2database/security/advisories/GHSA-h376-j262-vhq6","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Mitigation","Third Party Advisory"]},{"url":"https://jfrog.com/blog/the-jndi-strikes-back-unauthenticated-rce-in-h2-database-console/","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Exploit","Technical Description","Vendor Advisory"]},{"url":"https://lists.debian.org/debian-lts-announce/2022/02/msg00017.html","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Mailing List","Third Party Advisory"]},{"url":"https://security.netapp.com/advisory/ntap-20220119-0001/","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Third Party Advisory"]},{"url":"https://www.debian.org/security/2022/dsa-5076","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Third Party Advisory"]},{"url":"https://www.oracle.com/security-alerts/cpuapr2022.html","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Patch","Third Party Advisory"]},{"url":"https://www.secpod.com/blog/log4shell-critical-remote-code-execution-vulnerability-in-h2database-console/","source":"af854a3a-2127-422b-91ae-364da2661108"}]}}]}