Snyk has a proof-of-concept or detailed explanation of how to exploit this vulnerability.
The probability is the direct output of the EPSS model, and conveys an overall sense of the threat of exploitation in the wild. The percentile measures the EPSS probability relative to all known EPSS scores. Note: This data is updated daily, relying on the latest available EPSS model version. Check out the EPSS documentation for more details.
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applicationsLearn about Remote Code Execution (RCE) vulnerabilities in an interactive lesson.
Start learningUpgrade com.h2database:h2
to version 2.0.206 or higher.
com.h2database:h2 is a database engine
Affected versions of this package are vulnerable to Remote Code Execution (RCE). H2 Console allows loading of custom classes from remote servers through JNDI. This can lead to code execution
If remote access was enabled explicitly and some protection method (such as security constraint) are not set, an intruder can load their own custom class and execute their code in a process using H2 Console (a H2 Server process or a web server with H2 Console servlet).
Note: It should be noted that H2 Console doesn't accept remote connections by default.
H2 Console should never be available to untrusted users.
-webAllowOthers
is a dangerous setting that should be avoided.
H2 Console Servlet deployed on a web server can be protected with a security constraint:
https://h2database.com/html/tutorial.html#usingH2ConsoleServlet
If webAllowOthers is specified, you need to uncomment and edit and as necessary. See documentation of your web server for more details.
All these workaround are mitigatory and unlikely to prevent all attack vectors, upgrade to a fixed version for full remediation.