CVE-2021-23463

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2021-23463

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2021-23463.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2021-23463

Aliases

GHSA-7rpj-hg47-cx62

Related

SNYK-JAVA-COMH2DATABASE-1769238

Published

2021-12-10T20:15:07.917Z

Modified

2026-03-13T00:53:00.270373Z

Severity

9.1 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H CVSS Calculator

Summary

[none]

Details

The package com.h2database:h2 from 1.4.198 and before 2.0.202 are vulnerable to XML External Entity (XXE) Injection via the org.h2.jdbc.JdbcSQLXML class object, when it receives parsed string data from org.h2.jdbc.JdbcResultSet.getSQLXML() method. If it executes the getSource() method when the parameter is DOMSource.class it will trigger the vulnerability.

References

Affected packages

Git / github.com/h2database/h2database

Affected ranges

Type

GIT

Repo

https://github.com/h2database/h2database

Events

Introduced

2b8fa36798a2f142d3b8eacf89b7da00645a6f75

Fixed

bb50243925f1707495d0b8e06a3e0e6caeed17ed

Database specific

{
    "versions": [
        {
            "introduced": "1.4.198"
        },
        {
            "fixed": "2.0.202"
        }
    ]
}

Affected versions

version-1.*

version-1.4.198

version-1.4.199

version-1.4.200

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2021-23463.json"