We use these services and cookies to improve your user experience. You may opt out if you wish, however, this may limit some features on this site.

Please see our statement on Data Privacy.

Zendesk (Helpdesk and Chat)
Bugpilot (Bug tracking)

Ok

THREATINT CVE Home CVE Diag Help
PUBLISHED

CVE-2022-45868

Reserved:2022-11-23
Published:2022-11-23
Updated:2024-04-03

Description

The web-based admin console in H2 Database Engine before 2.2.220 can be started via the CLI with the argument -webAdminPassword, which allows the user to specify the password in cleartext for the web admin console. Consequently, a local user (or an attacker that has obtained local access through some means) would be able to discover the password by listing processes and their arguments. NOTE: the vendor states "This is not a vulnerability of H2 Console ... Passwords should never be passed on the command line and every qualified DBA or system administrator is expected to know that." Nonetheless, the issue was fixed in 2.2.220.



HIGH: 8.4CVSS:3.1/AC:L/AV:L/A:H/C:H/I:H/PR:N/S:U/UI:N

References

https://sites.google.com/sonatype.com/vulnerabilities/sonatype-2022-6243

https://github.com/h2database/h2database/blob/96832bf5a97cdc0adc1f2066ed61c54990d66ab5/h2/src/main/org/h2/server/web/WebServer.java#L346-L347

https://github.com/h2database/h2database/issues/3686

https://github.com/advisories/GHSA-22wj-vf5f-wrvj

https://github.com/h2database/h2database/pull/3833

https://github.com/h2database/h2database/releases/tag/version-2.2.220

cve.org CVE-2022-45868

nvd.nist.gov CVE-2022-45868

Download JSON

Share this page
https://cve.threatint.com/CVE/CVE-2022-45868