Spring Boot Misconfiguration: H2 console enabled

Severity: Medium

Summary#

Invicti detected that the H2 Console is enabled.

H2 is a relational database management system written in Java. It can be embedded in Java applications or run in client-server mode. The H2 database comes with a H2 console application that is not enabled by default. This database console should only be enabled in the development phase and disabled once the application is deployed in a production environment. It was discovered that the H2 console is enabled on this Spring Boot website.

Impact#

An attacker can try to use default database credentials to gain access to the H2 databases.

Actions To Take#

It's recommended to disable access to the H2 console in production environments. To disable H2 console add the following line to application.properties:

spring.h2.console.enabled=false

Classifications#

OWASP 2017-A6, OWASP 2013-A5, CWE-16, CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N

Select Category

Search Vulnerability

Related Vulnerabilities

Spring Boot Misconfiguration: H2 console enabled

Related Articles

Build your resistance to threats. And save hundreds of hours each month.