🛡️ CVE-2022-45868
🟠 CVSS 8.4 — High ✅ No Known Exploit CWE-200 NVD
8.4
CVSS Score
0 Low4 Medium7 High9 Critical10

Description

The web-based admin console in H2 Database Engine before 2.2.220 can be started via the CLI with the argument -webAdminPassword, which allows the user to specify the password in cleartext for the web admin console. Consequently, a local user (or an attacker that has obtained local access through some means) would be able to discover the password by listing processes and their arguments. NOTE: the vendor states "This is not a vulnerability of H2 Console ... Passwords should never be passed on the command line and every qualified DBA or system administrator is expected to know that." Nonetheless, the issue was fixed in 2.2.220.

Details

Severity HIGH
CVSS Score 8.4
CVSS Vector CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE CWE-200
Public Exploit ✅ No
Source NVD
Published 2022-11-23
Updated 2026-06-08
Modified 2026-03-13
Fix URL N/A

Affected Packages

Software From version Fixed in
com.h2database:h2 1.4.198 2.2.220
h2 2.1.214

Similar Threats

Free Vulnerability Check

Is your WordPress site affected?

BotEraser helps you identify potentially vulnerable plugins and themes by checking your installation against known CVE records.

Scan My Site Free →

No credit card required  ·  Results in minutes

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the vulnerabilities listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.