This is not really a “hole” in H2, it is an unsafe non-default configuration that is used in some third-party products.
You have to enable remote access to H2 explicitly, but if you're doing it you should also set additional restrictions that suit your environment and needs. -ifExists can be used to prevent creation of new databases, security constraints can be used on a web server to limit access to H2 Console only to some authorized users, SSL can be enabled to encrypt the network layer. I think we need more detailed description of configuration parameters with better security guidance. Unfortunately, this most likely will not reduce number of unsafe configurations significantly, because many people just use the first working example that was found somewhere in the Internet, but we can try. -- You received this message because you are subscribed to the Google Groups "H2 Database" group. To unsubscribe from this group and stop receiving emails from it, send an email to h2-database+unsubscr...@googlegroups.com. To post to this group, send email to h2-database@googlegroups.com. Visit this group at https://groups.google.com/group/h2-database. For more options, visit https://groups.google.com/d/optout.
