CVE-2021-23463

Public Exploit

XML External Entity (XXE) Injection

Description

The package com.h2database:h2 from 1.4.198 and before 2.0.202 are vulnerable to XML External Entity (XXE) Injection via the org.h2.jdbc.JdbcSQLXML class object, when it receives parsed string data from org.h2.jdbc.JdbcResultSet.getSQLXML() method. If it executes the getSource() method when the parameter is DOMSource.class it will trigger the vulnerability.

References

Link	Tags
https://github.com/h2database/h2database/issues/3195	issue tracking patch exploit third party advisory
https://snyk.io/vuln/SNYK-JAVA-COMH2DATABASE-1769238	exploit third party advisory patch
https://github.com/h2database/h2database/pull/3199	issue tracking third party advisory patch
https://github.com/h2database/h2database/commit/d83285fd2e48fb075780ee95badee6f5a15ea7f8%23diff-008c2e4462609982199cd83e7cf6f1d6b41296b516783f6752c44b9f15dc7bc3	broken link
https://www.oracle.com/security-alerts/cpuapr2022.html	not applicable
https://security.netapp.com/advisory/ntap-20230818-0010/

Frequently Asked Questions

What is the severity of CVE-2021-23463?: CVE-2021-23463 has been scored as a high severity vulnerability.
How to fix CVE-2021-23463?: To fix CVE-2021-23463, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2021-23463 being actively exploited in the wild?: It is possible that CVE-2021-23463 is being exploited or will be exploited in a near future based on public information. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2021-23463?: CVE-2021-23463 affects n/a com.h2database:h2.

Description

Category

CWE-611 – Improper Restriction of XML External Entity Reference

References

Frequently Asked Questions