Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

BREAKING - #3686 Remove webAdminPassword CLI property #3832

Closed

Conversation

nhumblot
Copy link

@nhumblot nhumblot commented Jul 2, 2023

Fix #3686

This PR aims to fix CVE-2022-45868 by removing the -webAdminPassword CLI parameter to enforce relying on the already documented file-based configuration.

Please note this change is a breaking change on the public API of h2database. If the maintainers of this project agree with the objective of this change, but prefer a more progressive approach, I can open a second PR which would deprecate this parameter first, to warn users about its future removal in the next major version.

Comments are welcome 🙂

@katzyn
Copy link
Contributor

katzyn commented Jul 3, 2023

There is nothing to fix, H2 doesn't expose any passwords here. It isn't a real security issue, it's just a typical fake security report that wasn't reviewed properly before publication. A so called exploit actually exposes the password by itself and starts H2 Server with this password.

runTool() is a wrong place to do any changes, this method is called from other applications when they use embedded version of H2. They can pass passwords here safely.

@nhumblot nhumblot closed this Jul 7, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

CVE-2022-45868: Password exposure in H2 Database (not an issue)
2 participants