[
https://issues.apache.org/jira/browse/HIVE-27501?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Diksha updated HIVE-27501:
--------------------------
Description: The web-based admin console in H2 Database Engine through
2.1.214 can be started via the CLI with the argument -webAdminPassword, which
allows the user to specify the password in cleartext for the web admin console.
Consequently, a local user (or an attacker that has obtained local access
through some means) would be able to discover the password by listing processes
and their arguments. (was: The web-based admin console in H2 Database Engine
through 2.1.214 can be started via the CLI with the argument -webAdminPassword,
which allows the user to specify the password in cleartext for the web admin
console. Consequently, a local user (or an attacker that has obtained local
access through some means) would be able to discover the password by listing
processes and their arguments. NOTE: the vendor states "This is not a
vulnerability of H2 Console ... Passwords should never be passed on the command
line and every qualified DBA or system administrator is expected to know that.")
> CVE-2022-45868: upgraded h2database version to 2.2.220
> ------------------------------------------------------
>
> Key: HIVE-27501
> URL: https://issues.apache.org/jira/browse/HIVE-27501
> Project: Hive
> Issue Type: Task
> Reporter: Diksha
> Assignee: Diksha
> Priority: Major
>
> The web-based admin console in H2 Database Engine through 2.1.214 can be
> started via the CLI with the argument -webAdminPassword, which allows the
> user to specify the password in cleartext for the web admin console.
> Consequently, a local user (or an attacker that has obtained local access
> through some means) would be able to discover the password by listing
> processes and their arguments.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
