Information Exposure Affecting com.h2database:h2 package, versions [1.4.198,2.2.220)
Threat Intelligence
Snyk has a proof-of-concept or detailed explanation of how to exploit this vulnerability.
The probability is the direct output of the EPSS model, and conveys an overall sense of the threat of exploitation in the wild. The percentile measures the EPSS probability relative to all known EPSS scores. Note: This data is updated daily, relying on the latest available EPSS model version. Check out the EPSS documentation for more details.
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-JAVA-COMH2DATABASE-3146851
- published24 Nov 2022
- disclosed24 Nov 2022
- creditUnknown
Introduced: 24 Nov 2022
CVE-2022-45868 (opens in a new tab)How to fix?
Upgrade com.h2database:h2 to version 2.2.220 or higher.
Overview
com.h2database:h2 is a database engine
Affected versions of this package are vulnerable to Information Exposure when H2 web-based admin console was started via the CLI with the argument -webAdminPassword, which allows a local user to specify the password in plaintext for the web admin console.
Consequently, a malicious local user or an attacker that has obtained local access through some means would be able to get the password for the H2 web admin console by looking at the running processes.
Vendor Statement: "This is not a vulnerability of the H2 Console, this is an example of how not to use it. I think there is nothing to do with it on the H2 side. Passwords should never be passed on the command line, and every qualified DBA or system administrator is expected to know that."