Spring Boot Misconfiguration: H2 console enabled

Severity: Medium
Summary#

Invicti detected that the H2 Console is enabled.

H2 is a relational database management system written in Java. It can be embedded in Java applications or run in client-server mode. The H2 database comes with a H2 console application that is not enabled by default. This database console should only be enabled in the development phase and disabled once the application is deployed in a production environment. It was discovered that the H2 console is enabled on this Spring Boot website.

Impact#

An attacker can try to use default database credentials to gain access to the H2 databases.

Actions To Take#

It's recommended to disable access to the H2 console in production environments. To disable H2 console add the following line to application.properties:

spring.h2.console.enabled=false
OR

Search Vulnerability

Build your resistance to threats. And save hundreds of hours each month.

Get a demo See how it works