Synk reports vulnerability for h2 dependency

Question

Synk reports vulnerability for h2 dependency

KilianB opened this issue 3 years ago · 0 comments

According to Synk a critical vulnerability for h2 exists: https://snyk.io/vuln/SNYK-JAVA-COMH2DATABASE-31685?utm_medium=Partner&utm_source=RedHat&utm_campaign=Code-Ready-Analytics-2020&utm_content=vuln/SNYK-JAVA-COMH2DATABASE-31685

Please see the issue ticket in the original repository here as well as the developers comment: h2database/h2database#3012

TLDR: The default configuration prevents a RCE, the library is not used in such a capability in JImage hash and is only an optional dependency. No patch version from h2 is and will be made available. The report is a false positive and can be ignored if you do not manually open up the h2 to the web and alter the settings manually.