Information Exposure Affecting com.h2database:h2 package, versions [1.4.198,2.2.220)
Threat Intelligence
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-JAVA-COMH2DATABASE-3146851
- published 24 Nov 2022
- disclosed 24 Nov 2022
- credit Unknown
Introduced: 24 Nov 2022
CVE-2022-45868 Open this link in a new tabHow to fix?
Upgrade com.h2database:h2 to version 2.2.220 or higher.
Overview
com.h2database:h2 is a database engine
Affected versions of this package are vulnerable to Information Exposure when H2 web-based admin console was started via the CLI with the argument -webAdminPassword, which allows a local user to specify the password in plaintext for the web admin console.
Consequently, a malicious local user or an attacker that has obtained local access through some means would be able to get the password for the H2 web admin console by looking at the running processes.
Vendor Statement: "This is not a vulnerability of the H2 Console, this is an example of how not to use it. I think there is nothing to do with it on the H2 side. Passwords should never be passed on the command line, and every qualified DBA or system administrator is expected to know that."