The first RESTful API for the Federal Election Commission. We're aiming to make campaign finance more accessible for journalists, academics, developers, and other transparency seekers.
Security information
Factors contributing to the scoring:
Snyk: [CVSS 5.3](https://security.snyk.io/vuln/SNYK-JAVA-COMH2DATABASE-3146851) - Medium Severity
NVD: Not available. NVD has not yet published its analysis.
Why are the scores different? Learn how Snyk evaluates vulnerability scores
Overview
Affected versions of this package are vulnerable to Information Exposure when H2 web-based admin console was started via the CLI with the argument -webAdminPassword, which allows a local user to specify the password in plaintext for the web admin console. Consequently, a malicious local user or an attacker that has obtained local access through some means would be able to get the password for the H2 web admin console by looking at the running processes.
Vendor Statement: This is not a vulnerability of the H2 Console, this is an example of how not to use it. I think there is nothing to do with it on the H2 side. Passwords should never be passed on the command line, and every qualified DBA or system administrator is expected to know that.
Security information
Factors contributing to the scoring:
Snyk: [CVSS 4.7](https://security.snyk.io/vuln/SNYK-JAVA-ORGPOSTGRESQL-3146847) - Medium Severity
NVD: Not available. NVD has not yet published its analysis.
Why are the scores different? Learn how Snyk evaluates vulnerability scores
Overview
Affected versions of this package are vulnerable to Information Exposure in the pgjdbc driver, which writes to the operating system's shared temp directory when the InputStream to either PreparedStatement.setText(int, InputStream) or PreparedStatemet.setBytea(int, InputStream) is larger than 2K. The temporary file is readable by other users. This is the default system behavior on Unix systems but not on MacOS.
NOTE: This vulnerability is only fixed for JDK 1.7. Systems using JDK 1.6 or below can work around the vulnerability by setting the environment variable java.io.tmpdir to a non-world-readable location.
Completion criteria:
[ ] Snyk is no longer showing this vulnerability or we have determined we are not affected and it has been ignored
Detailed paths
Introduced through: unknown:unknown@0.0.0 › org.flywaydb:flyway-commandline@9.7.0 › com.h2database:h2@2.1.214
Security information Factors contributing to the scoring:
Why are the scores different? Learn how Snyk evaluates vulnerability scores Overview
com.h2database:h2 is a database engine
Affected versions of this package are vulnerable to Information Exposure when H2 web-based admin console was started via the CLI with the argument -webAdminPassword, which allows a local user to specify the password in plaintext for the web admin console. Consequently, a malicious local user or an attacker that has obtained local access through some means would be able to get the password for the H2 web admin console by looking at the running processes.
Vendor Statement: This is not a vulnerability of the H2 Console, this is an example of how not to use it. I think there is nothing to do with it on the H2 side. Passwords should never be passed on the command line, and every qualified DBA or system administrator is expected to know that.
Detailed paths
Security information Factors contributing to the scoring:
Why are the scores different? Learn how Snyk evaluates vulnerability scores Overview
org.postgresql:postgresql is a Java JDBC 4.2 (JRE 8+) driver for PostgreSQL database.
Affected versions of this package are vulnerable to Information Exposure in the pgjdbc driver, which writes to the operating system's shared temp directory when the InputStream to either PreparedStatement.setText(int, InputStream) or PreparedStatemet.setBytea(int, InputStream) is larger than 2K. The temporary file is readable by other users. This is the default system behavior on Unix systems but not on MacOS.
NOTE: This vulnerability is only fixed for JDK 1.7. Systems using JDK 1.6 or below can work around the vulnerability by setting the environment variable java.io.tmpdir to a non-world-readable location.
Completion criteria: