CVE-2021-23463

moderate-risk
Published 2021-12-10

The package com.h2database:h2 from 1.4.198 and before 2.0.202 are vulnerable to XML External Entity (XXE) Injection via the org.h2.jdbc.JdbcSQLXML class object, when it receives parsed string data from org.h2.jdbc.JdbcResultSet.getSQLXML() method. If it executes the getSource() method when the parameter is DOMSource.class it will trigger the vulnerability.

Do I need to act?

-
0.77% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
8
CVSS 8.1/10 High
NETWORK / LOW complexity

Affected Products (1)

H2

Affected Vendors

H2Database

References (12)

Broken Link https://github.com/h2database/h2database/commit/d83285fd2e48fb075780ee95badee6f5...
Exploit https://github.com/h2database/h2database/issues/3195
Issue Tracking https://github.com/h2database/h2database/pull/3199
https://security.netapp.com/advisory/ntap-20230818-0010/
Exploit https://snyk.io/vuln/SNYK-JAVA-COMH2DATABASE-1769238
Not Applicable https://www.oracle.com/security-alerts/cpuapr2022.html
Broken Link https://github.com/h2database/h2database/commit/d83285fd2e48fb075780ee95badee6f5...
Exploit https://github.com/h2database/h2database/issues/3195
Issue Tracking https://github.com/h2database/h2database/pull/3199
https://security.netapp.com/advisory/ntap-20230818-0010/
Exploit https://snyk.io/vuln/SNYK-JAVA-COMH2DATABASE-1769238
Not Applicable https://www.oracle.com/security-alerts/cpuapr2022.html
36
/ 100
moderate-risk
Severity 28/34 · Critical
Exploitability 3/34 · Minimal
Exposure 5/34 · Minimal