H2 console publicly accessible
Description
H2 is a lightweight relational database management system written in Java that can operate in embedded or client-server mode. The H2 database includes a built-in web-based administration console, typically accessible at the /h2-console endpoint, which is intended for development and debugging purposes only.
This vulnerability indicates that the H2 console is publicly accessible on this application. The console should be disabled in production environments as it provides direct access to database configuration and connection settings, potentially exposing sensitive information and database access points to unauthorized users.
Remediation
The H2 console must be disabled in all production environments. Follow these steps to secure your application:
1. Disable the H2 Console
Add or modify the following property in your application.properties file:
spring.h2.console.enabled=false
Or in application.yml:
spring:
h2:
console:
enabled: false2. Use Environment-Specific Configuration
If the console is needed for local development, use profile-specific configuration files:
# application-dev.properties spring.h2.console.enabled=true # application-prod.properties spring.h2.console.enabled=false
3. Verify the Change
After deployment, confirm that the /h2-console endpoint returns a 404 or 403 error when accessed.
4. Additional Security Measures
If the console must remain enabled, restrict access using IP whitelisting or authentication filters in your security configuration.