{"api_version":"1","generated_at":"2026-04-23T01:19:44+00:00","cve":"CVE-2021-23463","urls":{"html":"https://cve.report/CVE-2021-23463","api":"https://cve.report/api/cve/CVE-2021-23463.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2021-23463","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2021-23463"},"summary":{"title":"CVE-2021-23463","description":"The package com.h2database:h2 from 1.4.198 and before 2.0.202 are vulnerable to XML External Entity (XXE) Injection via the org.h2.jdbc.JdbcSQLXML class object, when it receives parsed string data from org.h2.jdbc.JdbcResultSet.getSQLXML() method. If it executes the getSource() method when the parameter is DOMSource.class it will trigger the vulnerability.","state":"PUBLIC","assigner":"report@snyk.io","published_at":"2021-12-10 20:15:00","updated_at":"2023-08-18 14:15:00"},"problem_types":["CWE-611"],"metrics":[],"references":[{"url":"https://github.com/h2database/h2database/issues/3195","name":"N/A","refsource":"CONFIRM","tags":[],"title":"Report a H2-Database-Engine SQLXML XXE vulnerability · Issue #3195 · h2database/h2database · GitHub","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://github.com/h2database/h2database/commit/d83285fd2e48fb075780ee95badee6f5a15ea7f8%23diff-008c2e4462609982199cd83e7cf6f1d6b41296b516783f6752c44b9f15dc7bc3","name":"N/A","refsource":"CONFIRM","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":""},{"url":"https://www.oracle.com/security-alerts/cpuapr2022.html","name":"https://www.oracle.com/security-alerts/cpuapr2022.html","refsource":"MISC","tags":[],"title":"Oracle Critical Patch Update Advisory - April 2022","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://security.netapp.com/advisory/ntap-20230818-0010/","name":"https://security.netapp.com/advisory/ntap-20230818-0010/","refsource":"CONFIRM","tags":[],"title":"CVE-2021-23463 H2 Database Vulnerability in NetApp Products | NetApp Product Security","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://snyk.io/vuln/SNYK-JAVA-COMH2DATABASE-1769238","name":"N/A","refsource":"CONFIRM","tags":[],"title":"XML External Entity (XXE) Injection in com.h2database:h2 | Snyk","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://github.com/h2database/h2database/pull/3199","name":"N/A","refsource":"CONFIRM","tags":[],"title":"Fix for #3195 CQLXML XXE vulnerability by andreitokar · Pull Request #3199 · h2database/h2database · GitHub","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://github.com/h2database/h2database/commit/d83285fd2e48fb075780ee95badee6f5a15ea7f8#diff-008c2e4462609982199cd83e7cf6f1d6b41296b516783f6752c44b9f15dc7bc3","name":"MISC:https://github.com/h2database/h2database/commit/d83285fd2e48fb075780ee95badee6f5a15ea7f8%23diff-008c2e4462609982199cd83e7cf6f1d6b41296b516783f6752c44b9f15dc7bc3","refsource":"MITRE","tags":[],"title":"fix for #3195 CQLXML XXE vulnerability · h2database/h2database@d83285f · GitHub","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://www.cve.org/CVERecord?id=CVE-2021-23463","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-23463","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[{"source":"LEGACY","value":"threedr3am of SecCoder Security Lab","lang":""}],"nvd_cpes":[{"cve_year":"2021","cve_id":"23463","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"h2database","cpe5":"h2","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"data_type":"CVE","data_format":"MITRE","data_version":"4.0","CVE_data_meta":{"ASSIGNER":"report@snyk.io","DATE_PUBLIC":"2021-12-10T20:00:01.774696Z","ID":"CVE-2021-23463","STATE":"PUBLIC","TITLE":"XML External Entity (XXE) Injection"},"affects":{"vendor":{"vendor_data":[{"product":{"product_data":[{"product_name":"com.h2database:h2","version":{"version_data":[{"version_affected":">=","version_value":"0"},{"version_affected":"<","version_value":"2.0.202"}]}}]},"vendor_name":"n/a"}]}},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"XML External Entity (XXE) Injection"}]}]},"references":{"reference_data":[{"refsource":"MISC","url":"https://github.com/h2database/h2database/issues/3195","name":"https://github.com/h2database/h2database/issues/3195"},{"refsource":"MISC","url":"https://snyk.io/vuln/SNYK-JAVA-COMH2DATABASE-1769238","name":"https://snyk.io/vuln/SNYK-JAVA-COMH2DATABASE-1769238"},{"refsource":"MISC","url":"https://github.com/h2database/h2database/pull/3199","name":"https://github.com/h2database/h2database/pull/3199"},{"refsource":"MISC","url":"https://github.com/h2database/h2database/commit/d83285fd2e48fb075780ee95badee6f5a15ea7f8%23diff-008c2e4462609982199cd83e7cf6f1d6b41296b516783f6752c44b9f15dc7bc3","name":"https://github.com/h2database/h2database/commit/d83285fd2e48fb075780ee95badee6f5a15ea7f8%23diff-008c2e4462609982199cd83e7cf6f1d6b41296b516783f6752c44b9f15dc7bc3"},{"url":"https://www.oracle.com/security-alerts/cpuapr2022.html","refsource":"MISC","name":"https://www.oracle.com/security-alerts/cpuapr2022.html"},{"refsource":"CONFIRM","name":"https://security.netapp.com/advisory/ntap-20230818-0010/","url":"https://security.netapp.com/advisory/ntap-20230818-0010/"}]},"description":{"description_data":[{"lang":"eng","value":"The package com.h2database:h2 from 1.4.198 and before 2.0.202 are vulnerable to XML External Entity (XXE) Injection via the org.h2.jdbc.JdbcSQLXML class object, when it receives parsed string data from org.h2.jdbc.JdbcResultSet.getSQLXML() method. If it executes the getSource() method when the parameter is DOMSource.class it will trigger the vulnerability."}]},"impact":{"cvss":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H/E:P","baseScore":8.1,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"NONE","availabilityImpact":"HIGH"}},"credit":[{"lang":"eng","value":"threedr3am of SecCoder Security Lab"}]},"nvd":{"publishedDate":"2021-12-10 20:15:00","lastModifiedDate":"2023-08-18 14:15:00","problem_types":["CWE-611"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"NONE","availabilityImpact":"HIGH","baseScore":9.1,"baseSeverity":"CRITICAL"},"exploitabilityScore":3.9,"impactScore":5.2},"baseMetricV2":{"cvssV2":{"version":"2.0","vectorString":"AV:N/AC:L/Au:N/C:P/I:N/A:P","accessVector":"NETWORK","accessComplexity":"LOW","authentication":"NONE","confidentialityImpact":"PARTIAL","integrityImpact":"NONE","availabilityImpact":"PARTIAL","baseScore":6.4},"severity":"MEDIUM","exploitabilityScore":10,"impactScore":4.9,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":false}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:h2database:h2:*:*:*:*:*:*:*:*","versionStartIncluding":"1.4.198","versionEndExcluding":"2.0.202","cpe_name":[]}]}]}},"legacy_mitre":{"record":{"CveYear":"2021","CveId":"23463","Ordinal":"198190","Title":"CVE-2021-23463","CVE":"CVE-2021-23463","Year":"2021"},"notes":[{"CveYear":"2021","CveId":"23463","Ordinal":"1","NoteData":"The package com.h2database:h2 from 1.4.198 and before 2.0.202 are vulnerable to XML External Entity (XXE) Injection via the org.h2.jdbc.JdbcSQLXML class object, when it receives parsed string data from org.h2.jdbc.JdbcResultSet.getSQLXML() method. If it executes the getSource() method when the parameter is DOMSource.class it will trigger the vulnerability.","Type":"Description","Title":null},{"CveYear":"2021","CveId":"23463","Ordinal":"2","NoteData":"2021-12-10","Type":"Other","Title":"Published"},{"CveYear":"2021","CveId":"23463","Ordinal":"3","NoteData":"2022-01-03","Type":"Other","Title":"Modified"}]}}}