Is The Latest H2 (1.4.200) Database Still Have Security Vulnerabilities

Just browsing Stack Overflow? Help us improve your experience. Sign up for research

1. 1. Home
   2. Questions
   3. Tags
   4. Users
   5. Companies
   6. Labs
   7. Jobs
   8. Discussions
   9. Collectives

   10. Communities for your favorite technologies. Explore all Collectives

2. Teams

   Ask questions, find answers and collaborate at work with Stack Overflow for Teams.

   Try Teams for free Explore Teams
3. Teams

4. Ask questions, find answers and collaborate at work with Stack Overflow for Teams. Explore Teams

Collectives™ on Stack Overflow

Find centralized, trusted content and collaborate around the technologies you use most.

Learn more about Collectives

Teams

Q&A for work

Connect and share knowledge within a single location that is structured and easy to search.

Learn more about Teams

Get early access and see previews of new features.

Learn more about Labs Is the latest H2 (1.4.200) database still have Security Vulnerabilities Ask Question Asked 4 years, 7 months ago Modified 4 years, 7 months ago Viewed 1k times 0

Is it right forum to discuss the security issue of H2 database? Is the latest H2 (1.4.200) database still has the security issues listed at link, https://www.cvedetails.com/vulnerability-list.php?vendor_id=17893&product_id=45580&version_id=&page=1&hasexp=0&opdos=0&opec=0&opov=0&opcsrf=0&opgpriv=0&opsqli=0&opxss=0&opdirt=0&opmemc=0&ophttprs=0&opbyp=0&opfileinc=0&opginf=0&cvssscoremin=0&cvssscoremax=0&year=2018&month=0&cweid=0&order=1&trc=2&sha=4b0469c034ade604446d7ba13f215239fac896a3

• h2

Share Improve this question Follow asked Apr 22, 2020 at 13:05 santhoshsanthosh 3311 silver badge66 bronze badges Add a comment |

1 Answer 1

Sorted by: Reset to default Highest score (default) Trending (recent votes count more) Date modified (newest first) Date created (oldest first) -1

CVE-2018-14335 looks like a fake one. Older version of H2 were affected only when you explicitly configure access to H2 Console for everyone, by default it is restricted for local connections only (do you have untrusted local users on the same PC?) and documentation clearly describes that you need to protect your server from unauthorized access when you want to enable remote access. Unfortunately, people usually don't read the documentation.

CVE-2018-10054 is not about the H2, it is about insecure configuration of H2 in Datomic, it is fixed in Datomic 0.9.5697.

Many third-party products include insecure configuration of H2. To protect their users from such security issues, H2 since the version 1.4.198 doesn't allow access to sensitive features of H2 Console (including features used in these two vulnerabilities) without additional authentication, so these issues should be considered as resolved in these products too if they use a some recent version of H2.

However, your application should not have databases with weak passwords of ADMIN users and enabled remote access for everyone. H2 is not a secure container, users with ADMIN privileges have access to the JVM and possibly to your system by design. Don't give ADMIN privileges to untrusted people and applications; you can create users with normal privileges for them and grant them access only to necessary data.

Share Improve this answer Follow answered Apr 22, 2020 at 13:47 Evgenij RyazanovEvgenij Ryazanov 8,12822 gold badges1414 silver badges2222 bronze badges 1

• Thank you for detailed explanation. – santhosh Commented Apr 23, 2020 at 5:04

Add a comment |

Your Answer

Reminder: Answers generated by artificial intelligence tools are not allowed on Stack Overflow. Learn more

Thanks for contributing an answer to Stack Overflow!

• Please be sure to answer the question. Provide details and share your research!

But avoid …

• Asking for help, clarification, or responding to other answers.
• Making statements based on opinion; back them up with references or personal experience.

To learn more, see our tips on writing great answers.

Draft saved Draft discarded

Sign up or log in

Sign up using Google Sign up using Email and Password Submit

Post as a guest

Name Email

Required, but never shown

Post Your Answer Discard

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Not the answer you're looking for? Browse other questions tagged

• h2

or ask your own question.

• The Overflow Blog
• Your docs are your infrastructure
• Featured on Meta
• More network sites to see advertising test [updated with phase 2]
• We’re (finally!) going to the cloud!

Related

1 Securing sensitive data in a DB,is using H2 worth it? 3 Is new HSQLDB susceptible to data corruption? 36 Are there any reasons why h2 database shouldn't be used in production? 1 H2 Database triggers 0 Corrupt H2 Database 1 How to check that the H2 DataBase is Fully not corrupted? 4 What is the current status of hbase 2.0? 2 What are the differences between HBase version 1.X and 2.X 1 H2 database - Update from select sets out-of-date data after h2database upgrade to version 1.4.198 0 Is HBase 2.X suitable for running on Hadoop 3.X?

Hot Network Questions

• How would the Aboriginal Australians interact with and utilize a Sapient Octopus Species?
• How do I go about rebranding a fully deleted project that used to have a GNU General Public License v3.0 but is now fully inaccessible
• Can Martial Characters use Spell Scrolls in D&D 2024?
• Is there any reported instance of a member of the U.S. military disobeying an order on the grounds that it was unlawful?
• Most Efficient Glide: Pitch Up or Level Flight to Bleed Airspeed
• How much do ebikes actually benefit from ebike specific wheels, tires, and forks?
• Correct place to store data required for custom addon
• The sum of multiple irrational numbers can be rational, even when they're not conjugates. Is this normal?
• How can I prevent a redirect loop with iptables when running a local forward proxy?
• Conditional Definition of a Mathematical Operator
• List of all sequences with certain properties
• Formative alternative to midterms for a large class
• Minimal Rules of Style for a Rough Draft
• Diagonal analogue of symmetric functions
• Did anything ever use the -12V line on the original PC power supply?
• Map or Thread operation for list
• Hearing the cry of a baby - abandoning practice for action?
• Why did Satan take Jesus to the Temple to jump down from?
• Should I ask for physical recommendation letters now to avoid future issues with professors' availability?
• Implicit function theorem without manifolds (Steve Smale article)?
• Use of “12 m.” for noon and “12 p.m.” for midnight
• Trouble with pgfplots' axis and beamer overlay
• Is there a commonly used expression for adjusting a training or form of support to a person's specific situation and needs?
• How to identify unsafe trees for climbing stand?

more hot questions Question feed Subscribe to RSS Question feed

To subscribe to this RSS feed, copy and paste this URL into your RSS reader.