QwikSec

Security Database

CVE

CWE

Training

CVE-2022-45868

Published: Nov 23, 2022

Modified: Nov 19, 2024

PUBLISHED

CVSS v3.1

8.4

HIGH

Description

The web-based admin console in H2 Database Engine before 2.2.220 can be started via the CLI with the argument -webAdminPassword, which allows the user to specify the password in cleartext for the web admin console. Consequently, a local user (or an attacker that has obtained local access through some means) would be able to discover the password by listing processes and their arguments. NOTE: the vendor states "This is not a vulnerability of H2 Console ... Passwords should never be passed on the command line and every qualified DBA or system administrator is expected to know that." Nonetheless, the issue was fixed in 2.2.220.

Vendor	Product	Versions
n/a	n/a	affected `n/a`

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AC:L/AV:L/A:H/C:H/I:H/PR:N/S:U/UI:N

Attack Complexity

Low

Attack Vector

Local

Availability

High

Confidentiality

High

Integrity

High

Privileges Required

None

Scope

Unchanged

User Interaction

None

References

https://sites.google.com/sonatype.com/vulnerabilities/sonatype-2022-6243

https://github.com/h2database/h2database/blob/96832bf5a97cdc0adc1f2066ed61c54990d66ab5/h2/src/main/org/h2/server/web/WebServer.java#L346-L347

https://github.com/h2database/h2database/issues/3686

https://github.com/advisories/GHSA-22wj-vf5f-wrvj

https://github.com/h2database/h2database/pull/3833

https://github.com/h2database/h2database/releases/tag/version-2.2.220

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.