CVE Vulnerability

CVE-2021-23463

The package com.h2database:h2 from 1.4.198 and before 2.0.202 are vulnerable to XML External Entity (XXE) Injection via the org.h2.jdbc.JdbcSQLXML class object, when it receives parsed string data from org.h2.jdbc.JdbcResultSet.getSQLXML() method. If it executes the getSource() method when the parameter is DOMSource.class it will trigger the vulnerability.

6.4 /10

CVSS v2.0 :

V3 Legend

Vector :

Exploitability : 10 / Impact : 4.9

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Confidentiality Impact PARTIAL

Integrity Impact NONE

Availability Impact PARTIAL

Scope

9.1 /10

CVSS v3.0 : CRITICAL

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 5.2

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References
Link Resource
https://github.com/h2database/h2database/issues/3195 Exploit Issue Tracking
https://snyk.io/vuln/SNYK-JAVA-COMH2DATABASE-1769238 Exploit Patch
https://github.com/h2database/h2database/pull/3199 Issue Tracking Patch
https://github.com/h2database/h2database/commit/d83285fd2e48fb075780ee95badee6f5a15ea7f8%23diff-008c2e4462609982199cd83e7cf6f1d6b41296b516783f6752c44b9f15dc7bc3 Broken Link
https://www.oracle.com/security-alerts/cpuapr2022.html Not Applicable
Configurations

Configuration 1

cpe:2.3:a:h2database:h2:*:*:*:*:*:*:*:*
Information

Published : 2021-12-10 08:15

Updated : 2022-04-28 02:53

NVD link : CVE-2021-23463

Mitre link : CVE-2021-23463

Products Affected
No products.
CWE
CWE-611

Improper Restriction of XML External Entity Reference