CVE-2022-45868

The web-based admin console in H2 Database Engine before 2.2.220 can be started via the CLI with the argument -webAdminPassword, which allows the user to specify the password in cleartext for the web admin console. Consequently, a local user (or an attacker that has obtained local access through some means) would be able to discover the password by listing processes and their arguments. NOTE: the vendor states "This is not a vulnerability of H2 Console ... Passwords should never be passed on the command line and every qualified DBA or system administrator is expected to know that." Nonetheless, the issue was fixed in 2.2.220.
Configurations

Configuration 1 (hide)

cpe:2.3:a:h2database:h2:*:*:*:*:*:*:*:*

History

21 Nov 2024, 07:29

Type Values Removed Values Added
References () https://github.com/advisories/GHSA-22wj-vf5f-wrvj - () https://github.com/advisories/GHSA-22wj-vf5f-wrvj -
References () https://github.com/h2database/h2database/blob/96832bf5a97cdc0adc1f2066ed61c54990d66ab5/h2/src/main/org/h2/server/web/WebServer.java#L346-L347 - Third Party Advisory () https://github.com/h2database/h2database/blob/96832bf5a97cdc0adc1f2066ed61c54990d66ab5/h2/src/main/org/h2/server/web/WebServer.java#L346-L347 - Third Party Advisory
References () https://github.com/h2database/h2database/issues/3686 - () https://github.com/h2database/h2database/issues/3686 -
References () https://github.com/h2database/h2database/pull/3833 - () https://github.com/h2database/h2database/pull/3833 -
References () https://github.com/h2database/h2database/releases/tag/version-2.2.220 - () https://github.com/h2database/h2database/releases/tag/version-2.2.220 -
References () https://sites.google.com/sonatype.com/vulnerabilities/sonatype-2022-6243 - Exploit, Third Party Advisory () https://sites.google.com/sonatype.com/vulnerabilities/sonatype-2022-6243 - Exploit, Third Party Advisory
CVSS v2 : unknown
v3 : 7.8
v2 : unknown
v3 : 8.4

03 Apr 2024, 03:15

Type Values Removed Values Added
References
  • () https://github.com/h2database/h2database/pull/3833 -
  • () https://github.com/h2database/h2database/releases/tag/version-2.2.220 -
Summary (en) The web-based admin console in H2 Database Engine through 2.1.214 can be started via the CLI with the argument -webAdminPassword, which allows the user to specify the password in cleartext for the web admin console. Consequently, a local user (or an attacker that has obtained local access through some means) would be able to discover the password by listing processes and their arguments. NOTE: the vendor states "This is not a vulnerability of H2 Console ... Passwords should never be passed on the command line and every qualified DBA or system administrator is expected to know that." (en) The web-based admin console in H2 Database Engine before 2.2.220 can be started via the CLI with the argument -webAdminPassword, which allows the user to specify the password in cleartext for the web admin console. Consequently, a local user (or an attacker that has obtained local access through some means) would be able to discover the password by listing processes and their arguments. NOTE: the vendor states "This is not a vulnerability of H2 Console ... Passwords should never be passed on the command line and every qualified DBA or system administrator is expected to know that." Nonetheless, the issue was fixed in 2.2.220.

07 Nov 2023, 03:54

Type Values Removed Values Added
Summary ** DISPUTED ** The web-based admin console in H2 Database Engine through 2.1.214 can be started via the CLI with the argument -webAdminPassword, which allows the user to specify the password in cleartext for the web admin console. Consequently, a local user (or an attacker that has obtained local access through some means) would be able to discover the password by listing processes and their arguments. NOTE: the vendor states "This is not a vulnerability of H2 Console ... Passwords should never be passed on the command line and every qualified DBA or system administrator is expected to know that." The web-based admin console in H2 Database Engine through 2.1.214 can be started via the CLI with the argument -webAdminPassword, which allows the user to specify the password in cleartext for the web admin console. Consequently, a local user (or an attacker that has obtained local access through some means) would be able to discover the password by listing processes and their arguments. NOTE: the vendor states "This is not a vulnerability of H2 Console ... Passwords should never be passed on the command line and every qualified DBA or system administrator is expected to know that."

18 Jul 2023, 18:15

Type Values Removed Values Added
References
  • (MISC) https://github.com/advisories/GHSA-22wj-vf5f-wrvj -
  • (MISC) https://github.com/h2database/h2database/issues/3686 -
Summary The web-based admin console in H2 Database Engine through 2.1.214 can be started via the CLI with the argument -webAdminPassword, which allows the user to specify the password in cleartext for the web admin console. Consequently, a local user (or an attacker that has obtained local access through some means) would be able to discover the password by listing processes and their arguments. NOTE: the vendor states "This is not a vulnerability of H2 Console ... Passwords should never be passed on the command line and every qualified DBA or system administrator is expected to know that." ** DISPUTED ** The web-based admin console in H2 Database Engine through 2.1.214 can be started via the CLI with the argument -webAdminPassword, which allows the user to specify the password in cleartext for the web admin console. Consequently, a local user (or an attacker that has obtained local access through some means) would be able to discover the password by listing processes and their arguments. NOTE: the vendor states "This is not a vulnerability of H2 Console ... Passwords should never be passed on the command line and every qualified DBA or system administrator is expected to know that."

Information

Published : 2022-11-23 21:15

Updated : 2024-11-21 07:29


NVD link : CVE-2022-45868

Mitre link : CVE-2022-45868

CVE.ORG link : CVE-2022-45868


JSON object : View

Products Affected

h2database

  • h2
CWE
CWE-312

Cleartext Storage of Sensitive Information