Security organization JFrog has found a vulnerability in H2. The problem is similar to Log4Shell, the infamous threat in Log4j.

H2 consoles on servers accessible from the outside can be abused for remote code execution (RCE). Multiple lines of code in H2 send urls to a ‘javax.naming.Context.lookup’ function. Access to an H2 console allows the function to be provided with two parameters: the url of a server containing malicious code and a line of code with the command to execute the code.

The problem is similar to the initial vulnerability in Log4j. The Java library allowed URLs to be delivered from outside an application, upon which the application would execute remote code. In contrast, the vulnerability in H2 can only be exploited with direct access to the server running the application. The technological cause is similar, but the severity differs.

JFrog shared the vulnerability with the developer of H2. The developer has since patched the vulnerability.