Vulnerability Report

CVE-2022-45868

Title: H2Database H2 Cryptographic Failures

Cryptographic Failures

Proof Of Concept

No public PoC currently indexed for CVE-2022-45868.

CWE Category CWE-312

Published Date Nov 23, 2022

Modified Date Nov 21, 2024

Exploit Status Not Found

Score 8.4 CVSS v3.1

Exploit Probability (EPSS)

0.22%

Vulnerability Summary

CVE-2022-45868: The web-based admin console in H2 Database Engine before 2.2.220 can be started via the CLI with the argument -webAdminPassword, which allows the user to specify the password in cleartext for the web admin console. Consequently, a local user (or an attacker that has obtained local access through some means) would be able to discover the password by listing processes and their arguments. NOTE: the vendor states "This is not a vulnerability of H2 Console ... Passwords should never be passed on the command line and every qualified DBA or system administrator is expected to know that." Nonetheless, the issue was fixed in 2.2.220.

Impacted Vendors

h2database 1

Reference Links

https://github.com/advisories/GHSA-22wj-vf5f-wrvj https://github.com/h2database/h2database/blob/96832bf5a97cdc0adc1f2066ed61c54990d66ab5/h2/src/main/org/h2/server/web/WebServer.java#L346-L347 https://github.com/h2database/h2database/issues/3686 https://github.com/h2database/h2database/pull/3833 https://github.com/h2database/h2database/releases/tag/version-2.2.220 https://sites.google.com/sonatype.com/vulnerabilities/sonatype-2022-6243 https://github.com/advisories/GHSA-22wj-vf5f-wrvj https://github.com/h2database/h2database/blob/96832bf5a97cdc0adc1f2066ed61c54990d66ab5/h2/src/main/org/h2/server/web/WebServer.java#L346-L347 https://github.com/h2database/h2database/issues/3686 https://github.com/h2database/h2database/pull/3833 https://github.com/h2database/h2database/releases/tag/version-2.2.220 https://sites.google.com/sonatype.com/vulnerabilities/sonatype-2022-6243

CVSS v3.1

Source Entity [email protected]

Severity HIGH

8.4

Attack Vector

LOCAL

Complexity

LOW

Privileges

N/A

Interaction

NONE

Confidentiality

N/A

Integrity

N/A

Availability

N/A

Scope

UNCHANGED

RAW VECTOR CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v3.1

Source Entity [email protected]

Severity HIGH

7.8

Attack Vector

LOCAL

Complexity

LOW

Privileges

N/A

Interaction

NONE

Confidentiality

N/A

Integrity

N/A

Availability

N/A

Scope

UNCHANGED

RAW VECTOR CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Associated Attack Patterns (CAPEC)

Total: Patterns

CVE-2022-45868 Exploits & PoCs (Proof Of Concept)

No public PoCs found in our database for this CVE.

November 21, 2024 MODIFIED

Vulnerability data or affected products updated.

November 23, 2022 PUBLISHED

Vulnerability first announced in NVD.

Attack Vector Matrix

Access Vector LOCAL

Complexity LOW

Privileges N/A

Interaction NONE

CVSS Vector String


                                    CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Affected Stack

No specific products linked.