Vulnerability DatabaseCVE-2021-23463

CVE-2021-23463:
H2 Database vulnerability analysis and mitigation

Overview

The vulnerability CVE-2021-23463 affects the H2 database package (com.h2database:h2) versions from 1.4.198 and before 2.0.202. It is an XML External Entity (XXE) Injection vulnerability that occurs in the org.h2.jdbc.JdbcSQLXML class object when it receives parsed string data from org.h2.jdbc.JdbcResultSet.getSQLXML() method (CVE Mitre, NVD).

Technical details

The vulnerability is triggered when the JdbcSQLXML object executes the getSource() method with DOMSource.class as the parameter. This leads to unprotected parsing of XML, resulting in XXE. The vulnerability has been assigned a CVSS v3.1 base score of 9.1 (Critical), with network attack vector, low attack complexity, no privileges required, and no user interaction needed (Ubuntu Security, Snyk Report).

Impact

A successful exploitation of this vulnerability can result in total loss of confidentiality, allowing attackers to access sensitive information. Additionally, it can lead to a complete loss of availability, potentially resulting in denial of service conditions. The vulnerability has no impact on system integrity (Snyk Report).

Mitigation and workarounds

The vulnerability has been fixed in H2 database version 2.0.202. Users are advised to upgrade to this version or later. The fix was implemented through a pull request that addresses the XXE vulnerability in the SQLXML implementation (GitHub PR).

Additional resources

Source: This report was generated using AI

View vulnerable instances

Not a Wiz customer? See which CVEs are exploitable in your environment.

Get a CVE Assessment

9.1

Score

Published December 10, 2021

Severity CRITICAL

CNA Score 8.1

Affected Technologies

H2 Database
Java

Has Public Exploit No

Has CISA KEV Exploit No

CISA KEV Release Date N/A

CISA KEV Due Date N/A

Exploitation Probability Percentile (EPSS) 58.4

Exploitation Probability (EPSS) 0.4

Affected packages and libraries

h2
com.h2database:h2

Sources

GitHub Advisory Database
- Maven Severity HIGHHas FixAdded at: Dec 16, 2021
Homebrew
- Homebrew Severity CRITICALHas FixAdded at: Feb 12, 2024
Nix
- Nix Severity CRITICALHas FixAdded at: Oct 10, 2023
NVD
- Linux Severity CRITICALHas FixAdded at: Jan 09, 2022
- Windows Severity CRITICALHas FixAdded at: Jan 09, 2022

Get a CVE risk assessment

Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.

Request assessment

Related H2 Database vulnerabilities:

CVE ID	Severity	Score	Technologies	Component name	CISA KEV exploit	Has fix	Published date
CVE-2022-23221	CRITICAL	9.8	H2 Database	h2	No	Yes	Jan 19, 2022
CVE-2021-42392	CRITICAL	9.8	H2 Database	com.h2database:h2	No	Yes	Jan 10, 2022
CVE-2021-23463	CRITICAL	9.1	H2 Database	h2	No	Yes	Dec 10, 2021
CVE-2022-45868	HIGH	7.8	H2 Database	h2	No	Yes	Nov 23, 2022
CVE-2018-14335	MEDIUM	6.5	H2 Database	cpe:2.3:a:h2database:h2	No	Yes	Jul 24, 2018

Free Vulnerability Assessment

Benchmark your Cloud Security Posture

Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.

Request assessment

Additional Wiz resources

Cloud Vulnerability DB

A community-led vulnerabilities database

Cloud Threat Landscape

A threat intelligence database

PEACH

A tenant isolation framework

Get a personalized demo

Ready to see Wiz in action?

"Best User Experience I have ever seen, provides full visibility to cloud workloads."

David EstlickCISO

"Wiz provides a single pane of glass to see what is going on in our cloud environments."

Adam FletcherChief Security Officer

"We know that if Wiz identifies something as critical, it actually is."

Greg PoniatowskiHead of Threat and Vulnerability Management

Get a demo

CVE-2021-23463: H2 Database vulnerability analysis and mitigation