Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact
6.4
CVSSv2

CVE-2021-23463

Published: 10/12/2021 Updated: 18/08/2023
CVSS v2 Base Score: 6.4 | Impact Score: 4.9 | Exploitability Score: 10
CVSS v3 Base Score: 9.1 | Impact Score: 5.2 | Exploitability Score: 3.9
VMScore: 571
Vector: AV:N/AC:L/Au:N/C:P/I:N/A:P
Subscribe to H2database

Vulnerability Summary

The package com.h2database:h2 from 1.4.198 and prior to 2.0.202 are vulnerable to XML External Entity (XXE) Injection via the org.h2.jdbc.JdbcSQLXML class object, when it receives parsed string data from org.h2.jdbc.JdbcResultSet.getSQLXML() method. If it executes the getSource() method when the parameter is DOMSource.class it will trigger the vulnerability.

Vulnerability Trend

Vulnerable Product Search on Vulmon Subscribe to Product

h2database h2

Github Repositories

https://github.com/mafujo/jphp-apache-poi

Apache POI for JPHP! WARNING this product use Log4J Package from maven (Apache Log4j Core » 2171) Vulnerabilities from dependencies: CVE-2021-42550 CVE-2021-4104 CVE-2021-23463 CVE-2019-17571

https://github.com/SecCoder-Security-Lab/jdbc-sqlxml-xxe

h2-jdbc(https://github.com/h2database/h2database/issues/3195) & mysql-jdbc(CVE-2021-2471) SQLXML XXE vulnerability reproduction.

jdbc-sqlxml-xxe h2-jdbc (CVE-2021-23463) (h2database/h2database#3195) SQLXML XXE vulnerability reproduction mysql-jdbc (CVE-2021-2471) SQLXML XXE vulnerability reproduction

References

CWE-611https://github.com/h2database/h2database/issues/3195https://snyk.io/vuln/SNYK-JAVA-COMH2DATABASE-1769238https://github.com/h2database/h2database/pull/3199https://github.com/h2database/h2database/commit/d83285fd2e48fb075780ee95badee6f5a15ea7f8%23diff-008c2e4462609982199cd83e7cf6f1d6b41296b516783f6752c44b9f15dc7bc3https://www.oracle.com/security-alerts/cpuapr2022.htmlhttps://security.netapp.com/advisory/ntap-20230818-0010/https://nvd.nist.govhttps://github.com/mafujo/jphp-apache-poihttps://github.com/SecCoder-Security-Lab/jdbc-sqlxml-xxe
CVSSv2
CVSSv2
CVSSv3
VMScore
Recommendations:
deserializationCVE-2024-4040cross-site scriptingCVE-2023-25790CVE-2024-2961XML external entityCVE-2024-26926CVE-2024-32806CVE-2024-32711
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook