CVE-2022-45868Cleartext Storage of Sensitive Info in H2

CWE-312Cleartext Storage of Sensitive InfoCWE-200Sensitive Information Exposure8 documents6 sources
Severity
7.8HIGHNVD
EPSS
0.3%
top 47.35%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
H2database H2Debian H2database
Timeline
PublishedNov 23
Latest updateSep 18

Description

The web-based admin console in H2 Database Engine before 2.2.220 can be started via the CLI with the argument -webAdminPassword, which allows the user to specify the password in cleartext for the web admin console. Consequently, a local user (or an attacker that has obtained local access through some means) would be able to discover the password by listing processes and their arguments. NOTE: the vendor states "This is not a vulnerability of H2 Console ... Passwords should never be passed on the

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 1.8 | Impact: 5.9

Affected Packages2 packages

NVDh2database/h22.1.214

🔴Vulnerability Details

4
OSV
Password exposure in H2 Database2022-11-23
OSV
CVE-2022-45868: The web-based admin console in H2 Database Engine before 22022-11-23
OSV
CVE-2022-45868: ** DISPUTED ** The web-based admin console in H2 Database Engine before 22022-11-23
GHSA
Password exposure in H2 Database2022-11-23

📋Vendor Advisories

3
CISA ICS
Hitachi Energy Asset Suite2025-09-18
Oracle
Oracle Oracle Communications Applications Risk Matrix: PSR Designer (H2 Database) — CVE-2022-458682024-01-15
Debian
CVE-2022-45868: h2database - The web-based admin console in H2 Database Engine before 2.2.220 can be started ...2022
CVE-2022-45868 — Cleartext Storage of Sensitive Info | cvebase