CVE-2022-45868
CVE-2022-45868 is a high-severity vulnerability in H2database H2 with a CVSS 3.x base score of 8.4. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-312.
Key facts
- Severity: High (CVSS 3.x base score 8.4)
- EPSS exploit prediction: 0% (22nd percentile)
- Actively exploited: Not listed in CISA KEV
- Weakness: CWE-312
- Affected product: H2database H2
- Published:
- Last modified:
Description
The web-based admin console in H2 Database Engine before 2.2.220 can be started via the CLI with the argument -webAdminPassword, which allows the user to specify the password in cleartext for the web admin console. Consequently, a local user (or an attacker that has obtained local access through some means) would be able to discover the password by listing processes and their arguments. NOTE: the vendor states "This is not a vulnerability of H2 Console ... Passwords should never be passed on the command line and every qualified DBA or system administrator is expected to know that." Nonetheless, the issue was fixed in 2.2.220.
Frequently asked questions
- What is CVE-2022-45868?
- The web-based admin console in H2 Database Engine before 2.2.220 can be started via the CLI with the argument -webAdminPassword, which allows the user to specify the password in cleartext for the web admin console. Consequently, a local user (or an attacker that has obtained local access through some means) would be able to discover the password by listing processes and their arguments. NOTE: the vendor states "This is not a vulnerability of H2 Console ... Passwords should never be passed on the command line and every qualified DBA or system administrator is expected to know that." Nonetheless, the issue was fixed in 2.2.220.
- How severe is CVE-2022-45868?
- CVE-2022-45868 has a CVSS 3.x base score of 8.4, rated high severity. It is exploitable over local access with low attack complexity, requires no privileges and no user interaction. Impact on confidentiality is high, integrity high, and availability high.
- Is CVE-2022-45868 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 0% (22nd percentile), an estimate of the probability of exploitation in the next 30 days.
- What products are affected by CVE-2022-45868?
- CVE-2022-45868 affects H2database H2. See the affected-products list for the exact vulnerable versions.
- How do I fix CVE-2022-45868?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Given its high severity, prioritise patching exposed systems.
- When was CVE-2022-45868 published?
- CVE-2022-45868 was published on 2022-11-23 and last updated on 2026-06-17.
References
- https://github.com/advisories/GHSA-22wj-vf5f-wrvj
- https://github.com/h2database/h2database/blob/96832bf5a97cdc0adc1f2066ed61c54990d66ab5/h2/src/main/org/h2/server/web/WebServer.java#L346-L347
- https://github.com/h2database/h2database/issues/3686
- https://github.com/h2database/h2database/pull/3833
- https://github.com/h2database/h2database/releases/tag/version-2.2.220
- https://sites.google.com/sonatype.com/vulnerabilities/sonatype-2022-6243
Affected products (1)
- cpe:2.3:a:h2database:h2:*:*:*:*:*:*:*:*
More vulnerabilities in H2database H2
- CVE-2022-23221 — Critical (CVSS 9.8): H2 Console before 2.1.210 allows remote attackers to execute arbitrary code via a jdbc:h2:mem JDBC URL containing the…
- CVE-2021-42392 — Critical (CVSS 9.8): The org.h2.util.JdbcUtils.getConnection method of the H2 database takes as parameters the class name of the driver and…
- CVE-2018-10054 — High (CVSS 8.8): H2 1.4.197, as used in Datomic before 0.9.5697 and other products, allows remote code execution because CREATE ALIAS…
- CVE-2021-23463 — High (CVSS 8.1): The package com.h2database:h2 from 1.4.198 and before 2.0.202 are vulnerable to XML External Entity (XXE) Injection via…
- CVE-2018-14335 — Medium (CVSS 6.5): An issue was discovered in H2 1.4.197. Insecure handling of permissions in the backup function allows attackers to read…
All CVEs affecting H2database H2 →
Other CWE-312 (Cleartext Storage of Sensitive Information) vulnerabilities
- CVE-2022-43757 — Critical (CVSS 9.9): A Cleartext Storage of Sensitive Information vulnerability in SUSE Rancher allows users on managed clusters to gain…
- CVE-2021-36782 — Critical (CVSS 9.9): A Cleartext Storage of Sensitive Information vulnerability in SUSE Rancher allows authenticated Cluster Owners, Cluster…
- CVE-2020-9045 — Critical (CVSS 9.9): During installation or upgrade to Software House C•CURE 9000 v2.70 and American Dynamics victor Video Management…
- CVE-2026-31848 — Critical (CVSS 9.8): Nexxt Solutions Nebula 300+ firmware through version 12.01.01.37 uses the ecos_pw cookie for authentication, which…
- CVE-2025-65826 — Critical (CVSS 9.8): The mobile application was found to contain stored credentials for the network it was developed on. If an attacker…
- CVE-2025-34206 — Critical (CVSS 9.8): Vasion Print (formerly PrinterLogic) Virtual Appliance Host and Application (VA and SaaS deployments) mount host…
Browse all CWE-312 (Cleartext Storage of Sensitive Information) vulnerabilities →