|Description||The web-based admin console in H2 Database Engine through 2.1.214 can be started via the CLI with the argument -webAdminPassword, which allows the user to specify the password in cleartext for the web admin console. Consequently, a local user (or an attacker that has obtained local access through some means) would be able to discover the password by listing processes and their arguments. NOTE: the vendor states "This is not a vulnerability of H2 Console ... Passwords should never be passed on the command line and every qualified DBA or system administrator is expected to know that."|
|Source||CVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub advisories/code/issues, web search, more)|
Vulnerable and fixed packages
The table below lists information on source packages.
|h2database (PTS)||buster, buster (security)||1.4.197-4+deb10u1||vulnerable|
|bullseye (security), bullseye||1.4.197-4+deb11u1||vulnerable|
The information below is based on the following data on fixed versions.
|Package||Type||Release||Fixed Version||Urgency||Origin||Debian Bugs|
Not cosidered a vulnerability of H2 Console by vendor. Passwords should never be
passed on the command line.