Your submission was sent successfully! Close

CVE-2022-45868

Published: 23 November 2022

The web-based admin console in H2 Database Engine through 2.1.214 can be started via the CLI with the argument -webAdminPassword, which allows the user to specify the password in cleartext for the web admin console. Consequently, a local user (or an attacker that has obtained local access through some means) would be able to discover the password by listing processes and their arguments. NOTE: the vendor states "This is not a vulnerability of H2 Console ... Passwords should never be passed on the command line and every qualified DBA or system administrator is expected to know that."

Notes

AuthorNote
rodrigo-zaiden
the argument was added in version 1.4.198, so, versions
prior to that are not affected.
mediathekview includes h2database version 1.4.197.
jameica-h2database is based on version 1.4.197.
upstream states that the argument is used in H2 console
that is a tool for developers.
Priority

Low

Status

Package Release Status
h2database
Launchpad, Ubuntu, Debian
bionic Needs triage

focal Needs triage

jammy Needs triage

kinetic Needs triage

trusty Ignored
(out of standard support)
upstream Needs triage

xenial Ignored
(out of standard support)
jameica-h2database
Launchpad, Ubuntu, Debian
bionic Does not exist

focal Does not exist

jammy Does not exist

kinetic Not vulnerable
(code not present)
trusty Ignored
(out of standard support)
upstream Needs triage

xenial Ignored
(out of standard support)
mediathekview
Launchpad, Ubuntu, Debian
bionic Not vulnerable
(code not present)
focal Not vulnerable
(code not present)
jammy Not vulnerable
(code not present)
kinetic Not vulnerable
(code not present)
trusty Ignored
(out of standard support)
upstream Needs triage

xenial Ignored
(out of standard support)