CVE-2022-45868

moderate-risk
Published 2022-11-23

The web-based admin console in H2 Database Engine before 2.2.220 can be started via the CLI with the argument -webAdminPassword, which allows the user to specify the password in cleartext for the web admin console. Consequently, a local user (or an attacker that has obtained local access through some means) would be able to discover the password by listing processes and their arguments. NOTE: the vendor states "This is not a vulnerability of H2 Console ... Passwords should never be passed on the command line and every qualified DBA or system administrator is expected to know that." Nonetheless, the issue was fixed in 2.2.220.

Do I need to act?

-
0.29% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
8
CVSS 8.4/10 High
LOCAL / LOW complexity

Affected Products (1)

H2

Affected Vendors

H2Database

References (12)

https://github.com/advisories/GHSA-22wj-vf5f-wrvj
Third Party Advisory https://github.com/h2database/h2database/blob/96832bf5a97cdc0adc1f2066ed61c54990...
https://github.com/h2database/h2database/issues/3686
https://github.com/h2database/h2database/pull/3833
https://github.com/h2database/h2database/releases/tag/version-2.2.220
Exploit https://sites.google.com/sonatype.com/vulnerabilities/sonatype-2022-6243
https://github.com/advisories/GHSA-22wj-vf5f-wrvj
Third Party Advisory https://github.com/h2database/h2database/blob/96832bf5a97cdc0adc1f2066ed61c54990...
https://github.com/h2database/h2database/issues/3686
https://github.com/h2database/h2database/pull/3833
https://github.com/h2database/h2database/releases/tag/version-2.2.220
Exploit https://sites.google.com/sonatype.com/vulnerabilities/sonatype-2022-6243
32
/ 100
moderate-risk
Severity 26/34 · High
Exploitability 1/34 · Minimal
Exposure 5/34 · Minimal