Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS03cnBqLWhnNDctY3g2Ms0auA
Improper Restriction of XML External Entity Reference in com.h2database:h2.
H2 is an embeddable RDBMS written in Java. The package com.h2database:h2 from 1.4.198 and before 2.0.202 are vulnerable to XML External Entity (XXE) Injection via the org.h2.jdbc.JdbcSQLXML class object, when it receives parsed string data from org.h2.jdbc.JdbcResultSet.getSQLXML() method. If it executes the getSource() method when the parameter is DOMSource.class it will trigger the vulnerability.
Permalink: https://github.com/advisories/GHSA-7rpj-hg47-cx62JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS03cnBqLWhnNDctY3g2Ms0auA
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: over 2 years ago
Updated: 9 months ago
CVSS Score: 8.1
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
Identifiers: GHSA-7rpj-hg47-cx62, CVE-2021-23463
References:
- https://nvd.nist.gov/vuln/detail/CVE-2021-23463
- https://github.com/h2database/h2database/issues/3195
- https://github.com/h2database/h2database/pull/3199
- https://github.com/h2database/h2database/commit/d83285fd2e48fb075780ee95badee6f5a15ea7f8%23diff-008c2e4462609982199cd83e7cf6f1d6b41296b516783f6752c44b9f15dc7bc3
- https://snyk.io/vuln/SNYK-JAVA-COMH2DATABASE-1769238
- https://github.com/h2database/h2database/pull/3199#issuecomment-1002830390
- https://github.com/boris-unckel/h2database/commit/f9ad6aef2bfa59eba2b4d3e7c4c32d2cce8e8b05
- https://security.netapp.com/advisory/ntap-20230818-0010/
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://github.com/advisories/GHSA-7rpj-hg47-cx62
Blast Radius: 44.0
Affected Packages
maven:com.h2database:h2
Dependent packages: 7,790Dependent repositories: 266,808
Downloads:
Affected Version Ranges: >= 1.4.198, < 2.0.202
Fixed in: 2.0.202
All affected versions: 1.4.198, 1.4.199, 1.4.200
All unaffected versions: 1.0.57, 1.0.58, 1.0.59, 1.0.60, 1.0.61, 1.0.62, 1.0.63, 1.0.64, 1.0.65, 1.0.66, 1.0.67, 1.0.68, 1.0.69, 1.0.70, 1.0.71, 1.0.72, 1.0.73, 1.0.74, 1.0.75, 1.0.76, 1.0.77, 1.0.78, 1.0.79, 1.0.20061217, 1.0.20070304, 1.0.20070429, 1.0.20070617, 1.1.100, 1.1.101, 1.1.102, 1.1.103, 1.1.104, 1.1.105, 1.1.106, 1.1.107, 1.1.108, 1.1.109, 1.1.110, 1.1.111, 1.1.112, 1.1.113, 1.1.114, 1.1.115, 1.1.116, 1.1.117, 1.1.118, 1.1.119, 1.2.120, 1.2.121, 1.2.122, 1.2.123, 1.2.124, 1.2.125, 1.2.126, 1.2.127, 1.2.128, 1.2.129, 1.2.130, 1.2.131, 1.2.132, 1.2.133, 1.2.134, 1.2.135, 1.2.136, 1.2.137, 1.2.138, 1.2.139, 1.2.140, 1.2.141, 1.2.142, 1.2.143, 1.2.144, 1.2.145, 1.2.147, 1.3.146, 1.3.148, 1.3.149, 1.3.150, 1.3.151, 1.3.152, 1.3.153, 1.3.154, 1.3.155, 1.3.156, 1.3.157, 1.3.158, 1.3.159, 1.3.160, 1.3.161, 1.3.162, 1.3.163, 1.3.164, 1.3.165, 1.3.166, 1.3.167, 1.3.168, 1.3.169, 1.3.170, 1.3.171, 1.3.172, 1.3.173, 1.3.174, 1.3.175, 1.3.176, 1.4.177, 1.4.178, 1.4.179, 1.4.180, 1.4.181, 1.4.182, 1.4.183, 1.4.184, 1.4.185, 1.4.186, 1.4.187, 1.4.188, 1.4.189, 1.4.190, 1.4.191, 1.4.192, 1.4.193, 1.4.194, 1.4.195, 1.4.196, 1.4.197, 2.0.202, 2.0.204, 2.0.206, 2.1.210, 2.1.212, 2.1.214, 2.2.220, 2.2.222, 2.2.224