Vulnerability	Vulnerable Version
M Information Exposure com.h2database:h2 is a database engine Affected versions of this package are vulnerable to Information Exposure when H2 web-based admin console was started via the CLI with the argument `-webAdminPassword`, which allows a local user to specify the password in plaintext for the web admin console. Consequently, a malicious local user or an attacker that has obtained local access through some means would be able to get the password for the H2 web admin console by looking at the running processes. Vendor Statement: "This is not a vulnerability of the H2 Console, this is an example of how not to use it. I think there is nothing to do with it on the H2 side. Passwords should never be passed on the command line, and every qualified DBA or system administrator is expected to know that." How to fix Information Exposure? Upgrade `com.h2database:h2` to version 2.2.220 or higher.	[1.4.198,2.2.220)

Information Exposure

com.h2database:h2 is a database engine

Affected versions of this package are vulnerable to Information Exposure when H2 web-based admin console was started via the CLI with the argument -webAdminPassword, which allows a local user to specify the password in plaintext for the web admin console. Consequently, a malicious local user or an attacker that has obtained local access through some means would be able to get the password for the H2 web admin console by looking at the running processes.

Vendor Statement: "This is not a vulnerability of the H2 Console, this is an example of how not to use it. I think there is nothing to do with it on the H2 side. Passwords should never be passed on the command line, and every qualified DBA or system administrator is expected to know that."

How to fix Information Exposure?

Upgrade com.h2database:h2 to version 2.2.220 or higher.

[1.4.198,2.2.220)

Go back to all versions of this package