Hey there.
- SonarQube v7.9.6 is an EOL version of SonarQube, you should upgrade to at least v8.9.6
- The H2 database is only used for evaluation purposes (when
sonar.jdbc.urlis not configured to a Postgres, Oracle, or Microosft SQL Server database). It is not production-ready, nor meant to be. - Incidentally, we already plan to upgrade the H2 database in SonarQube v9.4 (SONAR-15845)
- In all versions, SonarQube is not vulnerable as the H2 console is not enabled and the H2 URL is hardcoded
- In the future, please follow our guide on Resonsible Vulnerabilty Disclosure