CVE-2021-23463

Name of the Vulnerable Software and Affected Versions com.h2database:h2 versions 1.4.198 through 2.0.202

Description The issue is related to XML External Entity (XXE) Injection via the org.h2.jdbc.JdbcSQLXML class object. This occurs when the object receives parsed string data from the org.h2.jdbc.JdbcResultSet.getSQLXML() method and executes the getSource() method with the parameter DOMSource.class. The vulnerability allows a remote attacker to conduct XXE attacks due to incorrect restriction of XML external entity references.

Recommendations For versions 1.4.198 through 2.0.202, consider disabling the org.h2.jdbc.JdbcSQLXML class object or restricting its use until a patch is available. As a temporary workaround, avoid using the getSource() method with the parameter DOMSource.class to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.