JFrog researchers find JNDI vulnerability in H2 database consoles similar to log4shell

Security researchers from JFrog said on Thursday that they discovered a critical JNDI-based vulnerability in the H2 database console exploiting a root cause similar to Log4Shell. The CVE hasn’t been posted by NIST but will be assigned CVE-2021-42392.

In a blog post, the company said that CVE-2021-42392 should not be as widespread as Log4Shell even though it is a critical issue with a similar root cause.

JFrog explained that the Java Naming and Directory Interface (JNDI) is an API that provides naming and directory functionality for Java applications. H2 is a widely-used open-source Java SQL database used for various projects ranging from web platforms like Spring Boot to IoT platforms like ThingWorks. The researchers noted that com.h2database:h2 package is “part of the top 50 most popular Maven packages, with almost 7,000 artifact dependencies.”

Read more…
Source: ZDNet