Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS0yMndqLXZmNWYtd3J2as4AAwB8
Password exposure in H2 Database
The web-based admin console in H2 Database Engine through 2.1.214 can be started via the CLI with the argument -webAdminPassword, which allows the user to specify the password in cleartext for the web admin console. Consequently, a local user (or an attacker that has obtained local access through some means) would be able to discover the password by listing processes and their arguments. NOTE: the vendor states "This is not a vulnerability of H2 Console ... Passwords should never be passed on the command line and every qualified DBA or system administrator is expected to know that."
Permalink: https://github.com/advisories/GHSA-22wj-vf5f-wrvjJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS0yMndqLXZmNWYtd3J2as4AAwB8
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: over 1 year ago
Updated: 10 months ago
CVSS Score: 7.8
CVSS vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Identifiers: GHSA-22wj-vf5f-wrvj, CVE-2022-45868
References:
- https://nvd.nist.gov/vuln/detail/CVE-2022-45868
- https://github.com/h2database/h2database/blob/96832bf5a97cdc0adc1f2066ed61c54990d66ab5/h2/src/main/org/h2/server/web/WebServer.java#L346-L347
- https://sites.google.com/sonatype.com/vulnerabilities/sonatype-2022-6243
- https://github.com/h2database/h2database/pull/3833
- https://github.com/h2database/h2database/commit/581ed18ff9d6b3761d851620ed88a3994a351a0d
- https://github.com/advisories/GHSA-22wj-vf5f-wrvj
Blast Radius: 42.3
Affected Packages
maven:com.h2database:h2
Dependent packages: 7,790Dependent repositories: 266,808
Downloads:
Affected Version Ranges: < 2.2.220
Fixed in: 2.2.220
All affected versions: 1.0.57, 1.0.58, 1.0.59, 1.0.60, 1.0.61, 1.0.62, 1.0.63, 1.0.64, 1.0.65, 1.0.66, 1.0.67, 1.0.68, 1.0.69, 1.0.70, 1.0.71, 1.0.72, 1.0.73, 1.0.74, 1.0.75, 1.0.76, 1.0.77, 1.0.78, 1.0.79, 1.0.20061217, 1.0.20070304, 1.0.20070429, 1.0.20070617, 1.1.100, 1.1.101, 1.1.102, 1.1.103, 1.1.104, 1.1.105, 1.1.106, 1.1.107, 1.1.108, 1.1.109, 1.1.110, 1.1.111, 1.1.112, 1.1.113, 1.1.114, 1.1.115, 1.1.116, 1.1.117, 1.1.118, 1.1.119, 1.2.120, 1.2.121, 1.2.122, 1.2.123, 1.2.124, 1.2.125, 1.2.126, 1.2.127, 1.2.128, 1.2.129, 1.2.130, 1.2.131, 1.2.132, 1.2.133, 1.2.134, 1.2.135, 1.2.136, 1.2.137, 1.2.138, 1.2.139, 1.2.140, 1.2.141, 1.2.142, 1.2.143, 1.2.144, 1.2.145, 1.2.147, 1.3.146, 1.3.148, 1.3.149, 1.3.150, 1.3.151, 1.3.152, 1.3.153, 1.3.154, 1.3.155, 1.3.156, 1.3.157, 1.3.158, 1.3.159, 1.3.160, 1.3.161, 1.3.162, 1.3.163, 1.3.164, 1.3.165, 1.3.166, 1.3.167, 1.3.168, 1.3.169, 1.3.170, 1.3.171, 1.3.172, 1.3.173, 1.3.174, 1.3.175, 1.3.176, 1.4.177, 1.4.178, 1.4.179, 1.4.180, 1.4.181, 1.4.182, 1.4.183, 1.4.184, 1.4.185, 1.4.186, 1.4.187, 1.4.188, 1.4.189, 1.4.190, 1.4.191, 1.4.192, 1.4.193, 1.4.194, 1.4.195, 1.4.196, 1.4.197, 1.4.198, 1.4.199, 1.4.200, 2.0.202, 2.0.204, 2.0.206, 2.1.210, 2.1.212, 2.1.214
All unaffected versions: 2.2.220, 2.2.222, 2.2.224