CVE-2021-23463
Summary
| CVE | CVE-2021-23463 |
|---|---|
| State | PUBLIC |
| Assigner | [email protected] |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2021-12-10 20:15:00 UTC |
| Updated | 2023-08-18 14:15:00 UTC |
| Description | The package com.h2database:h2 from 1.4.198 and before 2.0.202 are vulnerable to XML External Entity (XXE) Injection via the org.h2.jdbc.JdbcSQLXML class object, when it receives parsed string data from org.h2.jdbc.JdbcResultSet.getSQLXML() method. If it executes the getSource() method when the parameter is DOMSource.class it will trigger the vulnerability. |
Risk And Classification
Problem Types: CWE-611
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Application | H2database | H2 | All | All | All | All |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| Report a H2-Database-Engine SQLXML XXE vulnerability · Issue #3195 · h2database/h2database · GitHub | CONFIRM | github.com | |
| N/A | CONFIRM | github.com | |
| Oracle Critical Patch Update Advisory - April 2022 | MISC | www.oracle.com | |
| CVE-2021-23463 H2 Database Vulnerability in NetApp Products | NetApp Product Security | CONFIRM | security.netapp.com | |
| XML External Entity (XXE) Injection in com.h2database:h2 | Snyk | CONFIRM | snyk.io | |
| Fix for #3195 CQLXML XXE vulnerability by andreitokar · Pull Request #3199 · h2database/h2database · GitHub | CONFIRM | github.com | |
| fix for #3195 CQLXML XXE vulnerability · h2database/h2database@d83285f · GitHub | MITRE | github.com | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
Vendor Comments And Credit
Discovery Credit
LEGACY: threedr3am of SecCoder Security Lab
There are currently no legacy QID mappings associated with this CVE.