Vulnerabilities > CVE-2022-45868 - Cleartext Storage of Sensitive Information vulnerability in H2Database H2

CVSS 7.8 - HIGH

Attack vector

LOCAL

Attack complexity

LOW

Privileges required

LOW

Confidentiality impact

HIGH

Integrity impact

HIGH

Availability impact

HIGH

local

low complexity

h2database

CWE-312

NVD

Published: 2022-11-23

Updated: 2024-04-11

Summary

The web-based admin console in H2 Database Engine before 2.2.220 can be started via the CLI with the argument -webAdminPassword, which allows the user to specify the password in cleartext for the web admin console. Consequently, a local user (or an attacker that has obtained local access through some means) would be able to discover the password by listing processes and their arguments. NOTE: the vendor states "This is not a vulnerability of H2 Console ... Passwords should never be passed on the command line and every qualified DBA or system administrator is expected to know that." Nonetheless, the issue was fixed in 2.2.220.

Vulnerable Configurations

Part	Description	Count
Application	H2Database H2Database H2 1.0 H2Database H2 1.0.60 H2Database H2 1.0.61 H2Database H2 1.0.62 H2Database H2 1.0.63 H2Database H2 1.0.64 H2Database H2 1.0.65 H2Database H2 1.0.66 H2Database H2 1.0.67 H2Database H2 1.0.68 H2Database H2 1.0.69 H2Database H2 1.0.70 H2Database H2 1.0.71 H2Database H2 1.0.72 H2Database H2 1.0.73 H2Database H2 1.0.74 H2Database H2 1.0.75 H2Database H2 1.1.101 H2Database H2 1.1.102 H2Database H2 1.1.103 H2Database H2 1.1.104 H2Database H2 1.1.105 H2Database H2 1.1.106 H2Database H2 1.1.107 H2Database H2 1.1.108 H2Database H2 1.1.109 H2Database H2 1.1.110 H2Database H2 1.1.111 H2Database H2 1.1.112 H2Database H2 1.1.113 H2Database H2 1.1.114 H2Database H2 1.1.115 H2Database H2 1.1.116 H2Database H2 1.1.117 H2Database H2 1.1.118 H2Database H2 1.1.119 H2Database H2 1.2.120 H2Database H2 1.2.121 H2Database H2 1.2.122 H2Database H2 1.2.123 H2Database H2 1.2.124 H2Database H2 1.2.125 H2Database H2 1.2.126 H2Database H2 1.2.127 H2Database H2 1.2.128 H2Database H2 1.2.129 H2Database H2 1.2.130 H2Database H2 1.2.131 H2Database H2 1.2.132 H2Database H2 1.2.133 H2Database H2 1.2.134 H2Database H2 1.2.135 H2Database H2 1.2.136 H2Database H2 1.2.137 H2Database H2 1.2.138 H2Database H2 1.2.139 H2Database H2 1.2.140 H2Database H2 1.2.141 H2Database H2 1.2.142 H2Database H2 1.2.143 H2Database H2 1.2.144 H2Database H2 1.2.145 H2Database H2 1.2.147 H2Database H2 1.3.146 H2Database H2 1.3.148 H2Database H2 1.3.149 H2Database H2 1.3.150 H2Database H2 1.3.151 H2Database H2 1.3.152 H2Database H2 1.3.153 H2Database H2 1.3.154 H2Database H2 1.3.155 H2Database H2 1.3.156 H2Database H2 1.3.157 H2Database H2 1.3.158 H2Database H2 1.3.159 H2Database H2 1.3.160 H2Database H2 1.3.161 H2Database H2 1.3.162 H2Database H2 1.3.163 H2Database H2 1.3.164 H2Database H2 1.3.165 H2Database H2 1.3.166 H2Database H2 1.3.167 H2Database H2 1.3.168 H2Database H2 1.3.169 H2Database H2 1.3.170 H2Database H2 1.3.171 H2Database H2 1.3.172 H2Database H2 1.3.173 H2Database H2 1.3.174 H2Database H2 1.3.175 H2Database H2 1.4.177 H2Database H2 1.4.178 H2Database H2 1.4.181 H2Database H2 1.4.182 H2Database H2 1.4.183 H2Database H2 1.4.184 H2Database H2 1.4.185 H2Database H2 1.4.186 H2Database H2 1.4.187 H2Database H2 1.4.188 H2Database H2 1.4.190 H2Database H2 1.4.191 H2Database H2 1.4.192 H2Database H2 1.4.193 H2Database H2 1.4.194 H2Database H2 1.4.195 H2Database H2 1.4.196 H2Database H2 1.4.197 H2Database H2 1.4.198 H2Database H2 1.4.199 H2Database H2 1.4.200 H2Database H2 2.0.202 H2Database H2 2.0.204 H2Database H2 2.0.206 H2Database H2 2.1.210	123

Common Weakness Enumeration (CWE)

CWE-312 - Cleartext Storage of Sensitive Information

Common Attack Pattern Enumeration and Classification (CAPEC)

Footprinting
An attacker engages in probing and exploration activity to identify constituents and properties of the target. Footprinting is a general term to describe a variety of information gathering techniques, often used by attackers in preparation for some attack. It consists of using tools to learn as much as possible about the composition, configuration, and security mechanisms of the targeted application, system or network. Information that might be collected during a footprinting effort could include open ports, applications and their versions, network topology, and similar information. While footprinting is not intended to be damaging (although certain activities, such as network scans, can sometimes cause disruptions to vulnerable applications inadvertently) it may often pave the way for more damaging attacks.
Lifting Data Embedded in Client Distributions
An attacker can resort to stealing data embedded in client distributions or client code in order to gain certain information. This information can reveal confidential contents, such as account numbers, or can be used as an intermediate step in a larger attack (such as by stealing keys/credentials).

Summary

Vulnerable Configurations

Common Weakness Enumeration (CWE)

Common Attack Pattern Enumeration and Classification (CAPEC)

References