Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CVE-2018-14335 #1294

Closed
ghost opened this issue Jul 16, 2018 · 9 comments
Closed

CVE-2018-14335 #1294

ghost opened this issue Jul 16, 2018 · 9 comments

Comments

@ghost
Copy link

ghost commented Jul 16, 2018

Please write me back on owodelta@protonmail.ch, need to talk about disclosure

@grandinj
Copy link
Contributor

H2 is not intended to be used outside a secure environment, so we don't have any need for embargoes or such

@ghost ghost closed this as completed Jul 16, 2018
@grandinj
Copy link
Contributor

You're not going to tell us what the bug is that you found?

@ghost
Copy link
Author

ghost commented Jul 16, 2018

What's the point if H2 is not intended to be used outside of secure environment?
I'm not gonna disclose it publicly. I left my mail, if you want info, write me back.

@grandinj
Copy link
Contributor

For the record, this requires
(a) the attacker have read/write access to the filesystem on the machine on which H2 is running
(b) that the H2 web console be activated

Since the web console is a debugging tool and has a boatload of similar issues I do not intend to fix this. Email me or the person above if you feel like fixing such issues.

@grandinj
Copy link
Contributor

@mikroskeem I have already. This is about the web console, which you should not be running in production. You should also be running H2 behind a firewall, like any other database server in existence.

@grandinj grandinj changed the title Vulnerability found in engine CVE-2018-14335 Aug 22, 2018
@grandinj
Copy link
Contributor

@THausherr
Copy link

ossindex-maven-plugin has now added this to their fearmongering 😬

@katzyn
Copy link
Contributor

katzyn commented Aug 26, 2022

Tools of H2 Console used by exploit from CVE-2018-14335 are protected from unauthorized access since H2 1.4.198 Beta, this and all newer versions aren't affected by it.

Issue about incorrectly reported vulnerability is here:
OSSIndex/vulns#277

@mauromol
Copy link

mauromol commented Feb 7, 2024

Issue about incorrectly reported vulnerability is here: OSSIndex/vulns#277

Any idea of why OSSIndex seems to flag all versions of H2 to be still vulnerable to this even now in 2024?

This issue was closed.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

4 participants