Security Vulnerability

[Mohammed Mido]

Hello team

how i can report a security issue pls ?

thanks

[Evgenij Ryazanov]

Hello!

1. H2 is not a secure container, if some application provides direct access to H2 for untrusted users in any way, you should report it to its developers.

2. Users with ADMIN privileges may do anything by design and they have full access to JVM and may interact with the host operating system as far as JVM and access permissions of operating system user allow it. Untrusted users should have database accounts with lower access permissions (ALTER ANY SCHEMA, schema owner, or regular permissions with necessary grants).

3. H2 Console is a tool for developers, if shouldn't be exposed by an application to its users. It may be legally used only when it is protected by a security constraint with appropriate security role, in all other cases it is a security issue of that application and it should be fixed on its side.

4. Shell tools is also just a simple command-line tool, it has the same access to the operating system as its process has. It doesn't provide and shouldn't provide any additional security.

5. An application should never allow customization of JDBC URL or connection parameters by untrusted end users, if it allows it, please report it to its developers. H2 has various dangerous parameters and they are really required for many applications, but they developers should read the documentation and clearly realize what they're doing.

6. If an application starts H2 Server with insecure parameters (-ifNotExists, -***AllowOthers, etc.) and it doesn't guard ports by itself in a some way (by special firewall configuration, for example) it is a security issue of that application.

7. Database files from untrusted sources may be dangerous and shouldn't be normally used without some additional validation.

8. Old 1.*.* releases of H2 aren't supported and may have any issues, they aren't going to be fixed. Only 2.0/2.1 series of releases is currently supported and the latest release is 2.1.210.

Actually there is nothing really special in H2, all database management systems should normally be used in isolated environments. Unfortunately, many people think that H2 is a some regular Java library, but it isn't.

If you find something of that king, it isn't a vulnerability of H2, but you can fill a new issue on GitHub anyway if you want to discuss something. Please, don't include names of vulnerable applications into its title or description if you didn't try to contact with their developers already.

https://github.com/h2database/h2database/issues

If you find something really different and unexpected, you can write an e-mail to active developers of H2  or you can report it on https://huntr.dev/ (for h2database/h2database repository)

Few possible examples of things that look like real vulnerabilities:

1. User with only SELECT rights can execute an INSERT on that table (when some valid special way such as trigger on other table wasn't provided).

2. User with only ALTER ANY SCHEMA or lower privileges can execute a command that requires ADMIN privileges.

3. Some magic connection parameters or bytes sent to server can be used to get connection under some account without knowing its password, excluding creation of new databases, allowed for embedded connections and also in some other cases, see documentation for details.