You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The web-based admin console in H2 Database Engine before 2.2.220 can be started via the CLI with the argument -webAdminPassword, which allows the user to specify the password in cleartext for the web admin console. Consequently, a local user (or an attacker that has obtained local access through some means) would be able to discover the password by listing processes and their arguments. NOTE: the vendor states "This is not a vulnerability of H2 Console ... Passwords should never be passed on the command line and every qualified DBA or system administrator is expected to know that." Nonetheless, the issue was fixed in 2.2.220.
✔️ This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.
mend-bolt-for-githubbot
changed the title
h2-2.1.214.jar: 1 vulnerabilities (highest severity is: 8.4)
h2-2.1.214.jar: 1 vulnerabilities (highest severity is: 8.4) - autoclosed
Oct 1, 2024
Vulnerable Library - h2-2.1.214.jar
H2 Database Engine
Library home page: https://h2database.com
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/com/h2database/h2/2.1.214/h2-2.1.214.jar
Found in HEAD commit: 924aa2c29ab21a422a96a7a2e29ae0c459bcce8d
Vulnerabilities
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2022-45868
Vulnerable Library - h2-2.1.214.jar
H2 Database Engine
Library home page: https://h2database.com
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/com/h2database/h2/2.1.214/h2-2.1.214.jar
Dependency Hierarchy:
Found in HEAD commit: 924aa2c29ab21a422a96a7a2e29ae0c459bcce8d
Found in base branch: main
Vulnerability Details
The web-based admin console in H2 Database Engine before 2.2.220 can be started via the CLI with the argument -webAdminPassword, which allows the user to specify the password in cleartext for the web admin console. Consequently, a local user (or an attacker that has obtained local access through some means) would be able to discover the password by listing processes and their arguments. NOTE: the vendor states "This is not a vulnerability of H2 Console ... Passwords should never be passed on the command line and every qualified DBA or system administrator is expected to know that." Nonetheless, the issue was fixed in 2.2.220.
Publish Date: 2022-11-23
URL: CVE-2022-45868
CVSS 3 Score Details (8.4)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: GHSA-22wj-vf5f-wrvj
Release Date: 2022-11-23
Fix Resolution: 2.2.220
Step up your Open Source Security Game with Mend here
The text was updated successfully, but these errors were encountered: