/

CVE-2022-45868 Report - Details, Severity, & Advisorie...

CVE-2022-45868 Report - Details, Severity, & Advisories

Twingate Team

Jun 28, 2024

What is CVE-2022-45868?

CVE-2022-45868 is a high-severity vulnerability affecting systems running H2 Database Engine before version 2.2.220. The issue involves the exposure of passwords in cleartext when using the command line interface to start the web-based admin console with the -webAdminPassword argument. This could allow a local user or attacker with local access to discover the password by listing processes and their arguments. To address this vulnerability, it is recommended to use safer methods for passing passwords to the server, such as using password hashes instead of plain text passwords.

Who is impacted by CVE-2022-45868?

Users of the H2 Database Engine before version 2.2.220 may be affected by the CVE-2022-45868 vulnerability. This issue is related to the web-based admin console, which can be started via the command line interface with the -webAdminPassword argument, potentially exposing passwords in cleartext. Affected versions include up to and including version 2.1.214. It's important to note that the vendor has disputed this issue, stating that it is not a vulnerability of the H2 Console and that passwords should never be passed on the command line.

What to do if CVE-2022-45868 affected you

If you're affected by the CVE-2022-45868 vulnerability, follow these steps to secure your H2 Database Engine:

  1. Update to version 2.2.220 or later to remove the webAdminPassword CLI property.

  2. Use file-based configuration to encrypt passwords in the configuration file.

  3. Pass passwords to the server inside an application, avoiding the command line.

By taking these precautions, you can protect your system from potential password exposure.

Is this in CISA’s Known Exploited Vulnerabilities Catalog?

The CVE-2022-45868 vulnerability, also known as "Password exposure in H2 Database," is not listed in CISA's Known Exploited Vulnerabilities Catalog. The issue was addressed in version 2.2.220 of the H2 Database Engine, and users should update to this version or later to mitigate the vulnerability. It's important to note that the vendor has disputed this issue, stating that it is not a vulnerability and that passwords should never be passed on the command line.

Weakness Enumeration

The weakness enumeration for this vulnerability is categorized as CWE-312, which involves cleartext storage of sensitive information in the H2 Database Engine.

Learn More

For a comprehensive understanding of the vulnerability, its severity, and mitigation strategies, refer to the NVD page.

Rapidly implement a modern Zero Trust network that is more secure and maintainable than VPNs.

/

CVE-2022-45868 Report - Details, Severity, & Advisorie...

CVE-2022-45868 Report - Details, Severity, & Advisories

Twingate Team

Jun 28, 2024

What is CVE-2022-45868?

CVE-2022-45868 is a high-severity vulnerability affecting systems running H2 Database Engine before version 2.2.220. The issue involves the exposure of passwords in cleartext when using the command line interface to start the web-based admin console with the -webAdminPassword argument. This could allow a local user or attacker with local access to discover the password by listing processes and their arguments. To address this vulnerability, it is recommended to use safer methods for passing passwords to the server, such as using password hashes instead of plain text passwords.

Who is impacted by CVE-2022-45868?

Users of the H2 Database Engine before version 2.2.220 may be affected by the CVE-2022-45868 vulnerability. This issue is related to the web-based admin console, which can be started via the command line interface with the -webAdminPassword argument, potentially exposing passwords in cleartext. Affected versions include up to and including version 2.1.214. It's important to note that the vendor has disputed this issue, stating that it is not a vulnerability of the H2 Console and that passwords should never be passed on the command line.

What to do if CVE-2022-45868 affected you

If you're affected by the CVE-2022-45868 vulnerability, follow these steps to secure your H2 Database Engine:

  1. Update to version 2.2.220 or later to remove the webAdminPassword CLI property.

  2. Use file-based configuration to encrypt passwords in the configuration file.

  3. Pass passwords to the server inside an application, avoiding the command line.

By taking these precautions, you can protect your system from potential password exposure.

Is this in CISA’s Known Exploited Vulnerabilities Catalog?

The CVE-2022-45868 vulnerability, also known as "Password exposure in H2 Database," is not listed in CISA's Known Exploited Vulnerabilities Catalog. The issue was addressed in version 2.2.220 of the H2 Database Engine, and users should update to this version or later to mitigate the vulnerability. It's important to note that the vendor has disputed this issue, stating that it is not a vulnerability and that passwords should never be passed on the command line.

Weakness Enumeration

The weakness enumeration for this vulnerability is categorized as CWE-312, which involves cleartext storage of sensitive information in the H2 Database Engine.

Learn More

For a comprehensive understanding of the vulnerability, its severity, and mitigation strategies, refer to the NVD page.

Rapidly implement a modern Zero Trust network that is more secure and maintainable than VPNs.

CVE-2022-45868 Report - Details, Severity, & Advisories

Twingate Team

Jun 28, 2024

What is CVE-2022-45868?

CVE-2022-45868 is a high-severity vulnerability affecting systems running H2 Database Engine before version 2.2.220. The issue involves the exposure of passwords in cleartext when using the command line interface to start the web-based admin console with the -webAdminPassword argument. This could allow a local user or attacker with local access to discover the password by listing processes and their arguments. To address this vulnerability, it is recommended to use safer methods for passing passwords to the server, such as using password hashes instead of plain text passwords.

Who is impacted by CVE-2022-45868?

Users of the H2 Database Engine before version 2.2.220 may be affected by the CVE-2022-45868 vulnerability. This issue is related to the web-based admin console, which can be started via the command line interface with the -webAdminPassword argument, potentially exposing passwords in cleartext. Affected versions include up to and including version 2.1.214. It's important to note that the vendor has disputed this issue, stating that it is not a vulnerability of the H2 Console and that passwords should never be passed on the command line.

What to do if CVE-2022-45868 affected you

If you're affected by the CVE-2022-45868 vulnerability, follow these steps to secure your H2 Database Engine:

  1. Update to version 2.2.220 or later to remove the webAdminPassword CLI property.

  2. Use file-based configuration to encrypt passwords in the configuration file.

  3. Pass passwords to the server inside an application, avoiding the command line.

By taking these precautions, you can protect your system from potential password exposure.

Is this in CISA’s Known Exploited Vulnerabilities Catalog?

The CVE-2022-45868 vulnerability, also known as "Password exposure in H2 Database," is not listed in CISA's Known Exploited Vulnerabilities Catalog. The issue was addressed in version 2.2.220 of the H2 Database Engine, and users should update to this version or later to mitigate the vulnerability. It's important to note that the vendor has disputed this issue, stating that it is not a vulnerability and that passwords should never be passed on the command line.

Weakness Enumeration

The weakness enumeration for this vulnerability is categorized as CWE-312, which involves cleartext storage of sensitive information in the H2 Database Engine.

Learn More

For a comprehensive understanding of the vulnerability, its severity, and mitigation strategies, refer to the NVD page.