CVE-2022-45868

NameCVE-2022-45868
DescriptionThe web-based admin console in H2 Database Engine before 2.2.220 can be started via the CLI with the argument -webAdminPassword, which allows the user to specify the password in cleartext for the web admin console. Consequently, a local user (or an attacker that has obtained local access through some means) would be able to discover the password by listing processes and their arguments. NOTE: the vendor states "This is not a vulnerability of H2 Console ... Passwords should never be passed on the command line and every qualified DBA or system administrator is expected to know that." Nonetheless, the issue was fixed in 2.2.220.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
h2database (PTS)stretch (security), stretch (lts), stretch1.4.193-1+deb9u1vulnerable
buster (security), buster, buster (lts)1.4.197-4+deb10u1vulnerable
bullseye (security), bullseye1.4.197-4+deb11u1vulnerable
bookworm2.1.214-1vulnerable
sid, trixie2.2.220-1vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
h2databasesource(unstable)(unfixed)unimportant

Notes

Not cosidered a vulnerability of H2 Console by vendor. Passwords should never be
passed on the command line.

Search for package or bug name: Reporting problems