CVE-2022-45868

HIGH 8.4

CVSS Score

8.4

EPSS Score

0.0%

EPSS Percentile

0th

The web-based admin console in H2 Database Engine before 2.2.220 can be started via the CLI with the argument -webAdminPassword, which allows the user to specify the password in cleartext for the web admin console. Consequently, a local user (or an attacker that has obtained local access through some means) would be able to discover the password by listing processes and their arguments. NOTE: the vendor states "This is not a vulnerability of H2 Console ... Passwords should never be passed on the command line and every qualified DBA or system administrator is expected to know that." Nonetheless, the issue was fixed in 2.2.220.

Vendor	n/a
Product	n/a
Published	Nov 23, 2022
Last Updated	Nov 19, 2024

Stay Ahead of the Next One

Get instant alerts for n/a n/a

Be the first to know when new high vulnerabilities affecting n/a n/a are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AC:L/AV:L/A:H/C:H/I:H/PR:N/S:U/UI:N

Attack Vector

Local

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Affected Versions

n/a / n/a

n/a

References

NVD ↗ CVE.org ↗ EPSS Data ↗

sites.google.com: https://sites.google.com/sonatype.com/vulnerabilities/sonatype-2022-6243 github.com: https://github.com/h2database/h2database/blob/96832bf5a97cdc0adc1f2066ed61c54990d66ab5/h2/src/main/org/h2/server/web/WebServer.java#L346-L347 github.com: https://github.com/h2database/h2database/issues/3686 github.com: https://github.com/advisories/GHSA-22wj-vf5f-wrvj github.com: https://github.com/h2database/h2database/pull/3833 github.com: https://github.com/h2database/h2database/releases/tag/version-2.2.220