information on how to report a vulnerability

[Gianluca Palma]

Hi all, i would like to know if there is an H2 e-mail address to report a vulnerability of the product under responsible disclosure?

Thanks and Regards,

Gianluca

[Evgenij Ryazanov]

Hello.

H2 is not a secure container. Users with ADMIN privileges may do anything with your JVM and host system as far as your JVM allows by design. If remote database creation is enabled (remote access is completely disabled by default and remote database creation is disabled by default separately since H2 1.4.198), it will create a remote security hole on your system; if you need this feature, you should guard TCP port of H2 and H2 Console by yourself, but usually you should use some other safe way to create a database, you can find them in documentation. And so on. Usually you should use separate users without ADMIN privileges for regular operations.

Unfortunately, some third-party projects include H2 with custom insecure settings into their distributions, such issues should be reported to them instead.

There is a possibility that something found by you is not a real vulnerability, but if you think it is or you aren't sure, please report it in a regular issue on GitHub:

https://github.com/h2database/h2database/issues

If we'll decide to accept such reports privately, we'll create a SECURITY.md file in repository on GitHub with detailed description.