CVE-2022-45868

2022-11-2300:00:00

ubuntu.com

h2 database engine

web admin console

password clearance

CVSS3

8.4

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

7.7

Confidence

High

EPSS

Percentile

5.1%

JSON

DISPUTED The web-based admin console in H2 Database Engine before
2.2.220 can be started via the CLI with the argument -webAdminPassword,
which allows the user to specify the password in cleartext for the web
admin console. Consequently, a local user (or an attacker that has obtained
local access through some means) would be able to discover the password by
listing processes and their arguments. NOTE: the vendor states “This is not
a vulnerability of H2 Console … Passwords should never be passed on the
command line and every qualified DBA or system administrator is expected to
know that.” Nonetheless, the issue was fixed in 2.2.220.

Notes

Author	Note
rodrigo-zaiden	the argument was added in version 1.4.198, so, versions prior to that are not affected. mediathekview includes h2database version 1.4.197. jameica-h2database is based on version 1.4.197. upstream states that the argument is used in H2 console that is a tool for developers.

OSVersionArchitecturePackageVersionFilename
ubuntu18.04noarchh2database< anyUNKNOWN
ubuntu20.04noarchh2database< anyUNKNOWN
ubuntu22.04noarchh2database< anyUNKNOWN
ubuntu24.04noarchh2database< anyUNKNOWN
ubuntu16.04noarchh2database< anyUNKNOWN

OS	Version	Architecture	Package	Version	Filename
ubuntu	18.04	noarch	h2database	< any	UNKNOWN
ubuntu	20.04	noarch	h2database	< any	UNKNOWN
ubuntu	22.04	noarch	h2database	< any	UNKNOWN
ubuntu	24.04	noarch	h2database	< any	UNKNOWN
ubuntu	16.04	noarch	h2database	< any	UNKNOWN