[ https://issues.apache.org/jira/browse/ISIS-3128?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17619584#comment-17619584 ]
Daniel Keir Haywood commented on ISIS-3128: ------------------------------------------- sorry, it fixes CVE-2022-42467 (not 42466) > [Security] h2 console potentially vulnerable to code execution > -------------------------------------------------------------- > > Key: ISIS-3128 > URL: https://issues.apache.org/jira/browse/ISIS-3128 > Project: Isis > Issue Type: Improvement > Components: Isis Examples, Isis Examples Demo App > Affects Versions: 2.0.0-M7 > Reporter: WilliamThomson > Assignee: Andi Huber > Priority: Major > Labels: security > Fix For: 2.0.0-M8 > > Attachments: 1.png, 2.png, 3.png > > > First of all: I am not sure if the service is intentionally set by the > project. But: As the current ISIS version (7.9.0) that is used by isis is > vulnerable to it, I guess it might be relevant to you. > > h2 database external access is enabled and use SA admin user by default, > resulting in code execution > > Access 127.0.0.1:8080/db , you can log in without additional username and > password. Because project permit SA login, like 1.png, 2.png > > SA account can execute sql query, cause code execute, like 3.png > > poc like this > CREATE ALIAS GET_SYSTEM_PROPERTY FOR "java.lang.System.getProperty"; > CALL GET_SYSTEM_PROPERTY('java.class.path'); > > Even if h2 db web login is a normal servie, I think it needs to be set to > prohibit remote browse login > -- This message was sent by Atlassian Jira (v8.20.10#820010)