TLDR: The default configuration prevents a RCE, the library is not used in such a capability in JImage hash and is only an optional dependency. No patch version from h2 is and will be made available. The report is a false positive and can be ignored if you do not manually open up the h2 to the web and alter the settings manually.
According to Synk a critical vulnerability for h2 exists: https://snyk.io/vuln/SNYK-JAVA-COMH2DATABASE-31685?utm_medium=Partner&utm_source=RedHat&utm_campaign=Code-Ready-Analytics-2020&utm_content=vuln/SNYK-JAVA-COMH2DATABASE-31685
Please see the issue ticket in the original repository here as well as the developers comment: https://github.com/h2database/h2database/issues/3012
TLDR: The default configuration prevents a RCE, the library is not used in such a capability in JImage hash and is only an optional dependency. No patch version from h2 is and will be made available. The report is a false positive and can be ignored if you do not manually open up the h2 to the web and alter the settings manually.