By clicking "Accept", you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.

PreferencesRejectAccept
Manage Consent Preferences by Category
Essentials
Always active

Necessary for the site to function. Always On.

Used for targeted advertising.

Remembers your preferences and provides enhanced features.

Measures usage and improves your experience.

Reject AllAccept All
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
View all Vulnerabilities

CVE-2022-45868

Information Exposure
Affects
H2 Database
in
H2
No items found.
Versions
>= 1.4.198, < 2.2.220
Exclamation circle icon
Patch Available

This Vulnerability has been fixed in the Never-Ending Support (NES) version offered by HeroDevs.

View NES Solution

Overview

H2 Database Engine is an open-source Java-based relational database management system widely used for development, testing, and embedded database scenarios. Among its features is a web-based admin console that enables interactive database management. 

A security issue (CVE-2022-45868) has been identified in H2 Database Engine, involving the way the web admin console is started via the command line with the -webAdminPassword argument. Because the password is passed in cleartext, a local user or an attacker who has obtained local access to the host can list running processes and their arguments to discover the admin password. Although the H2 project has disputed the classification of this issue the behavior was addressed in OSS versions 2.2.220 and later.

Per OWASP: Cleartext Storage of Sensitive Information occurs when the product stores sensitive information in cleartext within a resource that might be accessible to another control sphere.

This issue affects multiple versions of the H2 Database h2.

Details

Module Info

Vulnerability Info

This high-severity vulnerability stems from insecure handling of administrative credentials in affected H2 Database Engine versions. When the web-based admin console is launched with the -webAdminPassword argument on the command line, the password is visible in plaintext among process arguments. On many operating systems, local users with access to ps, top, or equivalent tools can list processes and read their arguments, thereby exposing credentials that should remain confidential.

Steps To Reproduce

  1. Install or use an affected H2 Database Engine build that supports the web admin console
  2. Start the H2 web admin console from the command line with the argument -webAdminPassword, supplying a known password (e.g., java -cp h2.jar org.h2.tools.Server -webAdminPassword my-password).
  3. From another local account on the same host, list system processes (e.g., using ps aux or similar).
  4. Observe the cleartext admin password within the process arguments output, demonstrating exposure of sensitive credentials.

Proof Of Concept

With a vulnerable H2 Database Engine instance running, an attacker with local access can simply inspect the system’s process list. Because the admin console was started with a cleartext password, the attacker’s ps output will include the password string exactly as provided by the administrator. For example, the presence of -webAdminPassword my-password in the process arguments directly reveals the credential, allowing unauthorized access to the database admin console if it is reachable or otherwise exploitable. This shows how sensitive data exposure via command line arguments can be leveraged for credential disclosure.

Mitigation

Only recent versions of H2 Database are community-supported and will receive updates to address this issue. For more information, see here.

Users of the affected components should apply one of the following mitigations:

  • Upgrade affected applications to supported versions of H2 Database.
  • Leverage a commercial support partner like HeroDevs for post-EOL security support.

Credit

  •  Evgenij Ryazanov

Pink arrow
Pink arrow
CVE-2022-45868
What is a HeroDevs Security Advisory?
Vulnerability Details
ID
CVE-2022-45868
PROJECT Affected
H2 Database
Versions Affected
>= 1.4.198, < 2.2.220
Published date
January 5, 2026
≈ Fix date
July 3, 2023
Fixed in
NES for H2
Severity
Level
CVSS Assessment
Low
>=0 <4
Medium
>=4 <6
High
>=6 <8
Critical
>=8 <10
High
Category
Information Exposure
Sign up for the latest vulnerability alerts fixed in
NES for H2
Rss feed icon
Subscribe via RSS
or

By clicking “submit” I acknowledge receipt of our Privacy Policy.

Thanks for signing up for our Newsletter! We look forward to connecting with you.
Oops! Something went wrong while submitting the form.