The JFrog Security Research Team recently identified a critical vulnerability in the H2 database console, designated as CVE-2021-42392, which shares the same root cause as the infamous Log4Shell vulnerability but is less widespread due to its direct impact scope. The H2 database, a popular Java SQL database used in many projects, was found to be vulnerable to remote code execution (RCE) through JNDI remote class loading. By default, the H2 console listens only to localhost, making the default setting safe; however, the console can be configured to allow remote connections, posing a significant risk if exposed to wide area networks (WAN). The vulnerability, found in the JdbcUtils.getConnection method, passes unfiltered attacker-controlled URLs that can lead to remote code execution. Although several attack vectors were identified, the most severe involves the H2 console, which can be accessed without authentication under certain configurations. The vulnerability was promptly addressed by the H2 maintainers, who released version 2.0.206 to fix the issue by restricting JNDI URLs to local protocols, similar to the fix applied in Log4j 2.17.0. Users are strongly advised to upgrade to this version to mitigate the risk. The research underscores the importance of securing developer tools and vigilance against potential supply chain attacks exploiting similar JNDI vulnerabilities.