CVE-2022-42467

EPSS 0.35%
Veröffentlicht 19.10.2022 08:15:11
Zuletzt bearbeitet 21.11.2024 07:25:01
Quelle security@apache.org
Teams Watchlist Login
Unerledigt Login

When running in prototype mode, the h2 webconsole module (accessible from the Prototype menu) is automatically made available with the ability to directly query the database. It was felt that it is safer to require the developer to explicitly enable this capability. As of 2.0.0-M8, this can now be done using the 'isis.prototyping.h2-console.web-allow-remote-access' configuration property; the web console will be unavailable without setting this configuration. As an additional safeguard, the new 'isis.prototyping.h2-console.generate-random-web-admin-password' configuration parameter (enabled by default) requires that the administrator use a randomly generated password to use the console. The password is printed to the log, as "webAdminPass: xxx" (where "xxx") is the password. To revert to the original behaviour, the administrator would therefore need to set these configuration parameter: isis.prototyping.h2-console.web-allow-remote-access=true isis.prototyping.h2-console.generate-random-web-admin-password=false Note also that the h2 webconsole is never available in production mode, so these safeguards are only to ensure that the webconsole is secured by default also in prototype mode.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 5

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Apache ≫ Isis Version < 2.0.0

Apache ≫ Isis Version2.0.0 Updatemilestone1

Apache ≫ Isis Version2.0.0 Updatemilestone2

Apache ≫ Isis Version2.0.0 Updatemilestone3

Apache ≫ Isis Version2.0.0 Updatemilestone4

Apache ≫ Isis Version2.0.0 Updatemilestone5

Apache ≫ Isis Version2.0.0 Updatemilestone6

Apache ≫ Isis Version2.0.0 Updatemilestone7

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.35%	0.567

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	5.3	3.9	1.4	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
134c704f-9b21-4f2e-91b3-4a467353bcc0	5.3	3.9	1.4	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CWE-1188 Initialization of a Resource with an Insecure Default

The product initializes or sets a resource with a default that is intended to be changed by the administrator, but the default is not secure.

http://www.openwall.com/lists/oss-security/2022/10/19/1

Third Party Advisory

Mailing List

https://lists.apache.org/thread/jbv2ddt00h7ntlbm6vkk4wdmb31pm8q3

Vendor Advisory

Mailing List

https://nvd.nist.gov/vuln/detail/CVE-2022-42467

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2022-42467

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2022-42467

EUVD