Description

H2 is a relational database management system written in Java. It can be embedded in Java applications or run in client-server mode.

The H2 database comes with a H2 console application that is not enabled by default and it's normally accessible at the endpoint /h2-console. This database console should only be enabled in the development phase and disabled once the application is deployed in a production environment. It was discovered that the H2 console is publicly accessible on this website.

Remediation

It's recommended to disable access to the H2 console in production environments. To disable H2 console add the following line to application.properties: 

spring.h2.console.enabled=false

References

Using the H2 Database Console in Spring Boot with Spring Security

Related Vulnerabilities

Error page path disclosure

Spring Boot Misconfiguration: Overly long session timeout

Apache perl-status enabled

Insecure Transportation Security Protocol Supported (SSLv2)

ASP.NET login credentials stored in plain text

Severity

Low

Classification

CWE-287 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Tags

Configuration