H2 vulnerability root cause similar to Log4Shell, less exploitation scope Like Log4Shell, the flaw (CVE-2021-42392) relates to Java Naming and Directory Interface (JNDI) remote class loading.

To keep things simple, we’re going to use the embedded H2 database for both development and runtime examples. You can change the JDBC URL in the EntityManager to point to any database you wish.

Critical flaw in the H2 open-source Java SQL database are similar to the Log4J vulnerability, but do not pose a widespread threat.

That allows for Java code injection of remote code execution. There are a number of attack vectors that could be used to exploit the vulnerability, the most severe being through the H2 console.