CVE-2022-45868

NameCVE-2022-45868
DescriptionThe web-based admin console in H2 Database Engine through 2.1.214 can be started via the CLI with the argument -webAdminPassword, which allows the user to specify the password in cleartext for the web admin console. Consequently, a local user (or an attacker that has obtained local access through some means) would be able to discover the password by listing processes and their arguments. NOTE: the vendor states "This is not a vulnerability of H2 Console ... Passwords should never be passed on the command line and every qualified DBA or system administrator is expected to know that."
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
h2database (PTS)buster, buster (security)1.4.197-4+deb10u1vulnerable
bullseye (security), bullseye1.4.197-4+deb11u1vulnerable
bookworm, sid2.1.214-1vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
h2databasesource(unstable)(unfixed)unimportant

Notes

Not cosidered a vulnerability of H2 Console by vendor. Passwords should never be
passed on the command line.

Search for package or bug name: Reporting problems