Summary #

Invicti detected that the H2 Console is enabled.

H2 is a relational database management system written in Java. It can be embedded in Java applications or run in client-server mode. The H2 database comes with a H2 console application that is not enabled by default. This database console should only be enabled in the development phase and disabled once the application is deployed in a production environment. It was discovered that the H2 console is enabled on this Spring Boot website.

Impact #

An attacker can try to use default database credentials to gain access to the H2 databases.

Actions To Take #

It's recommended to disable access to the H2 console in production environments. To disable H2 console add the following line to application.properties:

spring.h2.console.enabled=false
Classifications #
CWE-16; OWASP 2013-A5; OWASP 2017-A6 , CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
Vulnerability Index

Vulnerability Index

You can search and find all vulnerabilities

OR

Search Vulnerability

Netsparker

Dead accurate, fast & easy-to-use Web Application Security Scanner

Get a demo