Remote Code Execution (RCE) Affecting com.h2database:h2 package, versions [1.1.100, 2.0.206)



    Attack Complexity High
    Confidentiality High
    Integrity High
    Availability High

    Threat Intelligence

    Exploit Maturity Proof of concept
    EPSS 50.02% (98th percentile)
Expand this section
9.8 critical
Expand this section
Red Hat
9.8 critical

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • published 6 Jan 2022
  • disclosed 6 Jan 2022
  • credit JFrog Security vulnerability Research Team

How to fix?

Upgrade com.h2database:h2 to version 2.0.206 or higher.


com.h2database:h2 is a database engine

Affected versions of this package are vulnerable to Remote Code Execution (RCE). H2 Console allows loading of custom classes from remote servers through JNDI. This can lead to code execution

If remote access was enabled explicitly and some protection method (such as security constraint) are not set, an intruder can load their own custom class and execute their code in a process using H2 Console (a H2 Server process or a web server with H2 Console servlet).

Note: It should be noted that H2 Console doesn't accept remote connections by default.


  • H2 Console should never be available to untrusted users.

  • -webAllowOthers is a dangerous setting that should be avoided.

  • H2 Console Servlet deployed on a web server can be protected with a security constraint: If webAllowOthers is specified, you need to uncomment and edit and as necessary. See documentation of your web server for more details.

All these workaround are mitigatory and unlikely to prevent all attack vectors, upgrade to a fixed version for full remediation.