CVE-2022-45868 – com.h2database:h2

Package

Manager: maven
Name: com.h2database:h2
Vulnerable Version: >=1.4.198 <2.2.220

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.00093 pctl0.27066

Details

Password exposure in H2 Database The web-based admin console in H2 Database Engine through 2.1.214 can be started via the CLI with the argument -webAdminPassword, which allows the user to specify the password in cleartext for the web admin console. Consequently, a local user (or an attacker that has obtained local access through some means) would be able to discover the password by listing processes and their arguments. NOTE: the vendor states "This is not a vulnerability of H2 Console ... Passwords should never be passed on the command line and every qualified DBA or system administrator is expected to know that."

Metadata

Created: 2022-11-23T21:30:31Z
Modified: 2024-07-03T17:59:02Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/11/GHSA-22wj-vf5f-wrvj/GHSA-22wj-vf5f-wrvj.json
CWE IDs: ["CWE-200", "CWE-312"]
Alternative ID: GHSA-22wj-vf5f-wrvj
Finding: F308
Auto approve: 1