CVE-2021-23463

2021-12-1020:15:07

Debian Security Bug Tracker

security-tracker.debian.org

cve-2021-23463

xml external entity (xxe) injection

jdbcsqlxml class

getsource method

domsource

unix

CVSS2

6.4

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:N/A:P

CVSS3

9.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H

EPSS

0.01

Percentile

84.2%

JSON

The package com.h2database:h2 from 1.4.198 and before 2.0.202 are vulnerable to XML External Entity (XXE) Injection via the org.h2.jdbc.JdbcSQLXML class object, when it receives parsed string data from org.h2.jdbc.JdbcResultSet.getSQLXML() method. If it executes the getSource() method when the parameter is DOMSource.class it will trigger the vulnerability.

OSVersionArchitecturePackageVersionFilename
Debian12allh2database< 2.1.214-1h2database_2.1.214-1_all.deb
Debian11allh2database< 1.4.197-4+deb11u1h2database_1.4.197-4+deb11u1_all.deb
Debian999allh2database< 2.2.220-1h2database_2.2.220-1_all.deb
Debian13allh2database< 2.2.220-1h2database_2.2.220-1_all.deb

OS	Version	Architecture	Package	Version	Filename
Debian	12	all	h2database	< 2.1.214-1	h2database_2.1.214-1_all.deb
Debian	11	all	h2database	< 1.4.197-4+deb11u1	h2database_1.4.197-4+deb11u1_all.deb
Debian	999	all	h2database	< 2.2.220-1	h2database_2.2.220-1_all.deb
Debian	13	all	h2database	< 2.2.220-1	h2database_2.2.220-1_all.deb