CVE-2022-45868
published 2022-11-23CVE-2022-45868: The web-based admin console in H2 Database Engine before 2.2.220 can be started via the CLI with the argument -webAdminPassword, which allows the user to…
PriorityP341high7.8CVSS 3.1
AVLACLPRLUINSUCHIHAH
EPSS
0.30%
21.7th percentile
The web-based admin console in H2 Database Engine before 2.2.220 can be started via the CLI with the argument -webAdminPassword, which allows the user to specify the password in cleartext for the web admin console. Consequently, a local user (or an attacker that has obtained local access through some means) would be able to discover the password by listing processes and their arguments. NOTE: the vendor states "This is not a vulnerability of H2 Console ... Passwords should never be passed on the command line and every qualified DBA or system administrator is expected to know that." Nonetheless, the issue was fixed in 2.2.220.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | h2database | — | — |
| h2database | h2 | <= 2.1.214 | — |
CVSS provenance
nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
osv7.8HIGH
vendor_debian8.4LOW
vendor_oracle7.8HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Password exposure in H2 Database
osv·2022-11-23
CVE-2022-45868 [HIGH] Password exposure in H2 Database
Password exposure in H2 Database
The web-based admin console in H2 Database Engine through 2.1.214 can be started via the CLI with the argument -webAdminPassword, which allows the user to specify the password in cleartext for the web admin console. Consequently, a local user (or an attacker that has obtained local access through some means) would be able to discover the password by listing processes and their arguments. NOTE: the vendor states "This is not a vulnerability of H2 Console ... Passwords should never be passed on the command line and every qualified DBA or system administrator is expected to know that."
OSV
CVE-2022-45868: The web-based admin console in H2 Database Engine before 2
osv·2022-11-23·CVSS 7.8
CVE-2022-45868 [HIGH] CVE-2022-45868: The web-based admin console in H2 Database Engine before 2
The web-based admin console in H2 Database Engine before 2.2.220 can be started via the CLI with the argument -webAdminPassword, which allows the user to specify the password in cleartext for the web admin console. Consequently, a local user (or an attacker that has obtained local access through some means) would be able to discover the password by listing processes and their arguments. NOTE: the vendor states "This is not a vulnerability of H2 Console ... Passwords should never be passed on the command line and every qualified DBA or system administrator is expected to know that." Nonetheless, the issue was fixed in 2.2.220.
OSV
CVE-2022-45868: ** DISPUTED ** The web-based admin console in H2 Database Engine before 2
osv·2022-11-23·CVSS 7.8
CVE-2022-45868 [HIGH] CVE-2022-45868: ** DISPUTED ** The web-based admin console in H2 Database Engine before 2
** DISPUTED ** The web-based admin console in H2 Database Engine before 2.2.220 can be started via the CLI with the argument -webAdminPassword, which allows the user to specify the password in cleartext for the web admin console. Consequently, a local user (or an attacker that has obtained local access through some means) would be able to discover the password by listing processes and their arguments. NOTE: the vendor states "This is not a vulnerability of H2 Console ... Passwords should never be passed on the command line and every qualified DBA or system administrator is expected to know that." Nonetheless, the issue was fixed in 2.2.220.
GHSA
Password exposure in H2 Database
ghsa·2022-11-23
CVE-2022-45868 [HIGH] CWE-200 Password exposure in H2 Database
Password exposure in H2 Database
The web-based admin console in H2 Database Engine through 2.1.214 can be started via the CLI with the argument -webAdminPassword, which allows the user to specify the password in cleartext for the web admin console. Consequently, a local user (or an attacker that has obtained local access through some means) would be able to discover the password by listing processes and their arguments. NOTE: the vendor states "This is not a vulnerability of H2 Console ... Passwords should never be passed on the command line and every qualified DBA or system administrator is expected to know that."
CISA ICS
Hitachi Energy Asset Suite
cisa_ics·2025-09-18·CVSS 7.1
[HIGH] Hitachi Energy Asset Suite
ICS Advisory
##
Hitachi Energy Asset Suite
Release DateSeptember 18, 2025
Alert CodeICSA-25-261-04
Related topics:
Industrial Control System Vulnerabilities, Industrial Control Systems
View CSAF
## 1. EXECUTIVE SUMMARY
- CVSS v4 8.7
- ATTENTION: Exploitable remotely/low attack complexity
- Vendor: Hitachi Energy
- Equipment: Asset Suite
- Vulnerabilities: Server-Side Request Forgery (SSRF), Deserialization of Untrusted Data, Cleartext Storage of Sensitive Information, Uncontrolled Resource Consumption, URL Redirection to Untrusted Site ('Open Redirect'), Improper Authentication
## 2. RISK EVALUATION
Successful exploitation of this vulnerability could allow attackers to trigger resource consumption or information disclosure through SSRF in Apache XML Gra
Oracle
Oracle Oracle Communications Applications Risk Matrix: PSR Designer (H2 Database) — CVE-2022-45868
vendor_oracle·2024-01-15·CVSS 7.8
CVE-2022-45868 [HIGH] Oracle Oracle Communications Applications Risk Matrix: PSR Designer (H2 Database) — CVE-2022-45868
Oracle Oracle Communications Applications Risk Matrix: PSR Designer (H2 Database) vulnerability
CVE: CVE-2022-45868
CVSS: 7.8
Protocol: None
Remote exploit: No
Affected versions: Local
Advisory: cpujan2024 (JAN 2024)
Debian
CVE-2022-45868: h2database - The web-based admin console in H2 Database Engine before 2.2.220 can be started ...
vendor_debian·2022·CVSS 8.4
CVE-2022-45868 [HIGH] CVE-2022-45868: h2database - The web-based admin console in H2 Database Engine before 2.2.220 can be started ...
The web-based admin console in H2 Database Engine before 2.2.220 can be started via the CLI with the argument -webAdminPassword, which allows the user to specify the password in cleartext for the web admin console. Consequently, a local user (or an attacker that has obtained local access through some means) would be able to discover the password by listing processes and their arguments. NOTE: the vendor states "This is not a vulnerability of H2 Console ... Passwords should never be passed on the command line and every qualified DBA or system administrator is expected to know that." Nonetheless, the issue was fixed in 2.2.220.
Scope: local
bookworm: open
bullseye: open
forky: open
sid: open
trixie: open
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://github.com/advisories/GHSA-22wj-vf5f-wrvjhttps://github.com/h2database/h2database/blob/96832bf5a97cdc0adc1f2066ed61c54990d66ab5/h2/src/main/org/h2/server/web/WebServer.java#L346-L347https://github.com/h2database/h2database/issues/3686https://github.com/h2database/h2database/pull/3833https://github.com/h2database/h2database/releases/tag/version-2.2.220https://sites.google.com/sonatype.com/vulnerabilities/sonatype-2022-6243https://github.com/advisories/GHSA-22wj-vf5f-wrvjhttps://github.com/h2database/h2database/blob/96832bf5a97cdc0adc1f2066ed61c54990d66ab5/h2/src/main/org/h2/server/web/WebServer.java#L346-L347https://github.com/h2database/h2database/issues/3686https://github.com/h2database/h2database/pull/3833https://github.com/h2database/h2database/releases/tag/version-2.2.220https://sites.google.com/sonatype.com/vulnerabilities/sonatype-2022-6243
2022-11-23
Published