CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 1CVE-2023-26964
https://notcve.org/view.php?id=CVE-2023-26964
An issue was discovered in hyper v0.13.7. h2-0.2.4 Stream stacking occurs when the H2 component processes HTTP2 RST_STREAM frames. As a result, the memory and CPU usage are high which can lead to a Denial of Service (DoS). • https://github.com/hyperium/hyper/issues/2877 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZHBAE7LQARMPUEEV4TWET4D7G6WCWBUD https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZYRZ5Y2ALATKKPIITAFAJIS4TR4LUAHO • CWE-770: Allocation of Resources Without Limits or Throttling •
CVSS: 8.4EPSS: 0%CPEs: 1EXPL: 1CVE-2022-45868
https://notcve.org/view.php?id=CVE-2022-45868
The web-based admin console in H2 Database Engine before 2.2.220 can be started via the CLI with the argument -webAdminPassword, which allows the user to specify the password in cleartext for the web admin console. Consequently, a local user (or an attacker that has obtained local access through some means) would be able to discover the password by listing processes and their arguments. NOTE: the vendor states "This is not a vulnerability of H2 Console ... Passwords should never be passed on the command line and every qualified DBA or system administrator is expected to know that." Nonetheless, the issue was fixed in 2.2.220. ** DISPUTA ** La consola de administración basada en web en H2 Database Engine hasta 2.1.214 se puede iniciar a través de la CLI con el argumento -webAdminPassword, que permite al usuario especificar la contraseña en texto sin cifrar para la consola de administración web. • https://github.com/advisories/GHSA-22wj-vf5f-wrvj https://github.com/h2database/h2database/blob/96832bf5a97cdc0adc1f2066ed61c54990d66ab5/h2/src/main/org/h2/server/web/WebServer.java#L346-L347 https://github.com/h2database/h2database/issues/3686 https://github.com/h2database/h2database/pull/3833 https://github.com/h2database/h2database/releases/tag/version-2.2.220 https://sites.google.com/sonatype.com/vulnerabilities/sonatype-2022-6243 • CWE-312: Cleartext Storage of Sensitive Information •