Bug 2033392 (CVE-2021-23463)

Summary: CVE-2021-23463 h2database: XXE injection vulnerability
Product: [Other] Security Response Reporter: Guilherme de Almeida Suckevicz <gsuckevi>
Component: vulnerabilityAssignee: Nobody <nobody>
Status: NEW --- QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: aileenc, avibelli, bgeorges, chazlett, clement.escoffier, dandread, dkreling, eric.wittmann, gmalinko, gsmet, janstey, jochrist, jwon, lthon, mrobson, pantinor, pdelbell, peholase, pgallagh, pjindal, probinso, rruss, rsvoboda, sbiarozk
Target Milestone: ---Keywords: Security
Target Release: ---Flags: mrobson: needinfo-
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the h2database. This flaw allows an attacker to benefit from XML External Entity (XXE) Injection via the org.h2.jdbc.JdbcSQLXML class object. A user may trigger the vulnerability by sending malicious data.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2033395    

Description Guilherme de Almeida Suckevicz 2021-12-16 16:40:07 UTC 
The package com.h2database:h2 from 0 and before 2.0.202 are vulnerable to XML External Entity (XXE) Injection via the org.h2.jdbc.JdbcSQLXML class object, when it receives parsed string data from org.h2.jdbc.JdbcResultSet.getSQLXML() method. If it executes the getSource() method when the parameter is DOMSource.class it will trigger the vulnerability.

References:
https://github.com/h2database/h2database/issues/3195
https://snyk.io/vuln/SNYK-JAVA-COMH2DATABASE-1769238

Upstream patch:
https://github.com/h2database/h2database/pull/3199
Comment 1 juneau 2021-12-16 20:13:13 UTC 
Affected component found in service registry. Code not reviewed to determine if method is in use.