Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2021-23463

The package com.h2database:h2 from 1.4.198 and before 2.0.202 are vulnerable to XML External Entity (XXE) Injection via the org.h2.jdbc.JdbcSQLXML class object, when it receives parsed string data from org.h2.jdbc.JdbcResultSet.getSQLXML() method. If it executes the getSource() method when the parameter is DOMSource.class it will trigger the vulnerability.

Published

2021-12-10T20:15:07.917

Last Modified

2024-11-21T05:51:47.487

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 8.1 (HIGH)

CVSSv2 Vector

AV:N/AC:L/Au:N/C:P/I:N/A:P

Access Vector: NETWORK
Access Complexity: LOW
Authentication: NONE
Confidentiality Impact: PARTIAL
Integrity Impact: NONE
Availability Impact: PARTIAL

Exploitability Score

10.0

Impact Score

4.9

Weaknesses

Type: Primary
CWE-611

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	h2database	h2	< 2.0.202	Yes

References

https://github.com/h2database/h2database/commit/d83285fd2e48fb075780ee95badee6f5a15ea7f8%23diff-008c2e4462609982199cd83e7cf6f1d6b41296b516783f6752c44b9f15dc7bc3 Broken Link ([email protected])
https://github.com/h2database/h2database/issues/3195 Exploit, Issue Tracking, Patch, Third Party Advisory ([email protected])
https://github.com/h2database/h2database/pull/3199 Issue Tracking, Patch, Third Party Advisory ([email protected])
https://security.netapp.com/advisory/ntap-20230818-0010/ ([email protected])
https://snyk.io/vuln/SNYK-JAVA-COMH2DATABASE-1769238 Exploit, Patch, Third Party Advisory ([email protected])
https://www.oracle.com/security-alerts/cpuapr2022.html Not Applicable ([email protected])
https://github.com/h2database/h2database/commit/d83285fd2e48fb075780ee95badee6f5a15ea7f8%23diff-008c2e4462609982199cd83e7cf6f1d6b41296b516783f6752c44b9f15dc7bc3 Broken Link (af854a3a-2127-422b-91ae-364da2661108)
https://github.com/h2database/h2database/issues/3195 Exploit, Issue Tracking, Patch, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://github.com/h2database/h2database/pull/3199 Issue Tracking, Patch, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://security.netapp.com/advisory/ntap-20230818-0010/ (af854a3a-2127-422b-91ae-364da2661108)
https://snyk.io/vuln/SNYK-JAVA-COMH2DATABASE-1769238 Exploit, Patch, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://www.oracle.com/security-alerts/cpuapr2022.html Not Applicable (af854a3a-2127-422b-91ae-364da2661108)