Description

H2 is a relational database management system written in Java. It can be embedded in Java applications or run in client-server mode. The H2 database comes with a H2 console application that is not enabled by default. This database console should only be enabled in the development phase and disabled once the application is deployed in a production environment. It was discovered that the H2 console is enabled on this Spring Boot website.

Remediation

It's recommended to disable access to the H2 console in production environments. To disable H2 console add the following line to application.properties:

spring.h2.console.enabled=false

References

Related Vulnerabilities