-
Notifications
You must be signed in to change notification settings - Fork 1.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CVE-2022-45868: Password exposure in H2 Database (not an issue) #3686
Comments
Doesn't seem to be a zero day, according to the original report: https://sites.google.com/sonatype.com/vulnerabilities/sonatype-2022-6243 |
It was privately reported on Aug 4th 2022 via huntr.dev and we explained that it isn't a vulnerability and there is nothing to fix. |
Well, it seems your explanation was not honoured by the researchers, given that GHSA-22wj-vf5f-wrvj is now reported by all sorts of automation tools... I'm not sure what to do about this. You can obviously close this issue here, but many others will get similar reports from dependabot and the owasp checker. |
Documentation of H2 describes only a file-based configuration (and password actually can be encrypted in configuration file). But it is possible to pass password to a server inside an application without that file: Server server = new Server();
server.runTool("-web", "-webPort", "8182", "-properties", "null", "-webAdminPassword", "123"); Somebody abused this way by passing these arguments in the command like. OK, this way will also work and actually it is possible to pass passwords in the command line to many other applications too, but why it is considered as a vulnerability of such applications, especially when command line isn't suggested anywhere and there are safer documented ways? I don't know that to do with this fake report. This setting is rarely needed, but why we should remove it? I also don't see a simple reliable way to check source of password to reject only passwords from a command line. |
Makes sense to me, thanks for your explanation. It isn't the first case of such a security incident escalating way beyond what's reasonable. Similar things happened to other projects recently, including pgjdbc. |
@katzyn Can we modify the source code and remove the option to pass webAdminPassword as we don't intend to use it and build the jar and use it. |
@katzyn has the dispute been filed with CVE? This is being flagged as a past-due (Nov '22) high vulnerability on all corporate servers by the automatic Sonatype scanners. |
@grandinj |
No sorry, I'm not willing to waste my time on this nonsense |
@grandinj I hope you do realize that if this CVE stays, it would be the end of the use of H2 database by major corporations. We would all need to find alternate solutions and exit H2 within the next 6 months. Please reconsider. |
I struggle to understand why I should feel the slightest shred of sympathy for "major corporations" that are using a volunteer-developed open-source project. |
Despite being marked as a non-issue, this has been addressed in #3833 and released in version 2.2.220 |
Dependabot and
org.owasp:dependency-check-maven
have been reporting CVE-2022-45868 (see GHSA-22wj-vf5f-wrvj) to me. I didn't find this CVE referenced from any issue in the issue tracker here, so I'm creating this one.Since the CVE has already been published (possibly as a zero day??), I suspect it's OK to report this publicly here. For future private reports, I think it would be useful to set up a security policy here on github? https://github.com/h2database/h2database/security/policy
The text was updated successfully, but these errors were encountered: