Get a Demo

Let's Patch It!

Book a short call with one our specialists, we'll walk you through how Endor Patches work, and ask you a few questions about your environment (like your primary programming languages and repository management). We'll also send you an email right after you fill out the form, feel free to reply with any questions you have in advance!

cve-2022-45868
Back to All
CVE

CVE-2022-45868

Password exposure in H2 Database

Description

The web-based admin console in H2 Database Engine through 2.1.214 can be started via the CLI with the argument -webAdminPassword, which allows the user to specify the password in cleartext for the web admin console. Consequently, a local user (or an attacker that has obtained local access through some means) would be able to discover the password by listing processes and their arguments. NOTE: the vendor states "This is not a vulnerability of H2 Console ... Passwords should never be passed on the command line and every qualified DBA or system administrator is expected to know that."

Base CVSS

7.8

EPSS Score

0.06%

Introduced Version

1.4.198

Fix Available

2.2.220

Available Patches

Package
CVEs Fixed
Lines of Code Changed
Package Name
com.h2database:h2
2.1.214
CVES Fixed
C
0
H
1
M
0
L
0
Code Changed
+244
-71

References

https://github.com/h2database/h2database/pull/3833
https://github.com/h2database/h2database/commit/581ed18ff9d6b3761d851620ed88a3994a351a0d
https://nvd.nist.gov/vuln/detail/CVE-2022-45868
https://github.com/advisories/GHSA-22wj-vf5f-wrvj
https://github.com/h2database/h2database/releases/tag/version-2.2.220
https://sites.google.com/sonatype.com/vulnerabilities/sonatype-2022-6243
https://github.com/h2database/h2database/issues/3686
https://github.com/h2database/h2database
https://github.com/h2database/h2database/blob/96832bf5a97cdc0adc1f2066ed61c54990d66ab5/h2/src/main/org/h2/server/web/WebServer.java#L346-L347

AppSec for the Software Development Revolution

Endor Labs builds a complete graph of your software estate, so teams can pinpoint and fix critical risks in complex, dependency-rich code—whether it was written by humans or AI.

Welcome to the resistance
Oops! Something went wrong, please try again.
brightness-increase
moon-01