Web Application Vulnerabilities Runtime SCA Findings
Looking for the vulnerability index of Invicti's legacy products?
Invicti Enterprise Acunetix Standard & Premium
Grails database console - Vulnerability Database

Grails database console

Description

The Grails framework includes a built-in database console accessible at /dbconsole/, which is enabled by default in development mode. This interactive web interface allows direct execution of SQL queries and provides visibility into the database schema. When this console remains accessible in production environments, it exposes sensitive database information and functionality to unauthorized users.

Remediation

Ensure the Grails application runs in production mode rather than development mode when deployed to production environments. Production mode automatically disables the database console and other development-only features.

To configure production mode, set the appropriate environment when starting the application:

grails prod run-app
Or when deploying as a WAR file, ensure the application server is configured to use the production environment:
grails.env=production
Additionally, verify that the /dbconsole/ endpoint returns a 404 error in production by testing the URL after deployment. If you need database administration capabilities in production, implement a separate, properly secured administrative interface with strong authentication and authorization controls, and restrict access by IP address or VPN.

References

Using the H2 Database Console in Grails

Related Vulnerabilities

Trace.axd Detected High
Common tags: Configuration Information Disclosure
Padding oracle attack High
Common tags: Configuration Information Disclosure
Tomcat status page Low
Common tags: Configuration Information Disclosure
Unprotected phpMyAdmin interface High
Common tags: Configuration Information Disclosure
ASP.NET error message Low
Common tags: Configuration Information Disclosure

Severity

Medium

Classification

CWE-200
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:N

Tags

Configuration
Information Disclosure