CVE-2021-23463: Improper Restriction of XML External Entity Reference
(updated )
The package com.h2database:h2 from 1.4.198 and before 2.0.202 are vulnerable to XML External Entity (XXE) Injection via the org.h2.jdbc.JdbcSQLXML class object, when it receives parsed string data from org.h2.jdbc.JdbcResultSet.getSQLXML() method. If it executes the getSource() method when the parameter is DOMSource.class it will trigger the vulnerability.
References
- github.com/advisories/GHSA-7rpj-hg47-cx62
- github.com/h2database/h2database/commit/d83285fd2e48fb075780ee95badee6f5a15ea7f8%23diff-008c2e4462609982199cd83e7cf6f1d6b41296b516783f6752c44b9f15dc7bc3
- github.com/h2database/h2database/issues/3195
- github.com/h2database/h2database/pull/3199
- nvd.nist.gov/vuln/detail/CVE-2021-23463
Detect and mitigate CVE-2021-23463 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →