High severityNVD Advisory· Published Dec 10, 2021· Updated Sep 17, 2024
XML External Entity (XXE) Injection
CVE-2021-23463
Description
The package com.h2database:h2 from 1.4.198 and before 2.0.202 are vulnerable to XML External Entity (XXE) Injection via the org.h2.jdbc.JdbcSQLXML class object, when it receives parsed string data from org.h2.jdbc.JdbcResultSet.getSQLXML() method. If it executes the getSource() method when the parameter is DOMSource.class it will trigger the vulnerability.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
com.h2database:h2Maven | >= 1.4.198, < 2.0.202 | 2.0.202 |
Affected products
2- h2database/h2description
Patches
Vulnerability mechanics
References
11- github.com/advisories/GHSA-7rpj-hg47-cx62ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-23463ghsaADVISORY
- github.com/boris-unckel/h2database/commit/f9ad6aef2bfa59eba2b4d3e7c4c32d2cce8e8b05ghsaWEB
- github.com/h2database/h2database/commit/d83285fd2e48fb075780ee95badee6f5a15ea7f8%23diff-008c2e4462609982199cd83e7cf6f1d6b41296b516783f6752c44b9f15dc7bc3ghsaWEB
- github.com/h2database/h2database/issues/3195ghsaWEB
- github.com/h2database/h2database/pull/3199ghsaWEB
- github.com/h2database/h2database/pull/3199ghsaWEB
- security.netapp.com/advisory/ntap-20230818-0010ghsaWEB
- snyk.io/vuln/SNYK-JAVA-COMH2DATABASE-1769238ghsaWEB
- www.oracle.com/security-alerts/cpuapr2022.htmlghsaWEB
- security.netapp.com/advisory/ntap-20230818-0010/mitre
News mentions
0No linked articles in our index yet.