H2 Database Engine is vulnerable to information disclosure. The vulnerability is caused by the webAdminPassword argument, which allows an administrator to specify the password in plaintext. An attacker can get the password for the H2 web admin console by looking at the running processes.
CPE | Name | Operator | Version |
---|---|---|---|
h2 database engine | le | 2.1.214 | |
h2 database engine | le | 2.1.214 |
github.com/advisories/GHSA-22wj-vf5f-wrvj
github.com/h2database/h2database/blob/96832bf5a97cdc0adc1f2066ed61c54990d66ab5/h2/src/main/org/h2/server/web/WebServer.java#L346-L347
github.com/h2database/h2database/commit/fd85ea22277c98cfa5dbc072cefa2c46eff9ef46
github.com/h2database/h2database/issues/3686
sites.google.com/sonatype.com/vulnerabilities/sonatype-2022-6243