CVE-2021-23463 (High) Detected In H2-1.4.199.jar, H2-1.4.200.jar ...

Skip to content Dismiss alert {{ message }} hapifhir / hapi-fhir Public

• Notifications You must be signed in to change notification settings
• Fork 1.3k
• Star 2k

• Code
• Issues 919
• Pull requests 232
• Actions
• Projects
• Wiki
• Security
• Insights

Additional navigation options

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom CVE-2021-23463 (High) detected in h2-1.4.199.jar, h2-1.4.200.jar - autoclosed #3253 Closed mend-bolt-for-github bot opened this issue Dec 17, 2021 · 1 comment Closed CVE-2021-23463 (High) detected in h2-1.4.199.jar, h2-1.4.200.jar - autoclosed #3253 mend-bolt-for-github bot opened this issue Dec 17, 2021 · 1 comment Labels Mend: dependency security vulnerability Security vulnerability detected by WhiteSource

Comments

Copy link Contributor

mend-bolt-for-github bot commented Dec 17, 2021 • edited Loading

CVE-2021-23463 - High Severity Vulnerability Vulnerable Libraries - h2-1.4.199.jar, h2-1.4.200.jar h2-1.4.199.jar H2 Database Engine Library home page: http://www.h2database.com Path to dependency file: /hapi-fhir-jpaserver-test-utilities/pom.xml Path to vulnerable library: /repository/com/h2database/h2/1.4.199/h2-1.4.199.jar Dependency Hierarchy: ❌ h2-1.4.199.jar (Vulnerable Library) h2-1.4.200.jar H2 Database Engine Library home page: https://h2database.com Path to dependency file: /hapi-fhir-cli/hapi-fhir-cli-app/pom.xml Path to vulnerable library: /home/wss-scanner/.m2/repository/com/h2database/h2/1.4.200/h2-1.4.200.jar Dependency Hierarchy: hapi-fhir-cli-jpaserver-5.7.0-PRE8-SNAPSHOT.jar (Root Library) ❌ h2-1.4.200.jar (Vulnerable Library) Found in base branch: master Vulnerability Details The package com.h2database:h2 from 0 and before 2.0.202 are vulnerable to XML External Entity (XXE) Injection via the org.h2.jdbc.JdbcSQLXML class object, when it receives parsed string data from org.h2.jdbc.JdbcResultSet.getSQLXML() method. If it executes the getSource() method when the parameter is DOMSource.class it will trigger the vulnerability. Publish Date: 2021-12-10 URL: CVE-2021-23463 CVSS 3 Score Details (9.1) Base Score Metrics: Exploitability Metrics: Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Impact Metrics: Confidentiality Impact: High Integrity Impact: None Availability Impact: High For more information on CVSS3 Scores, click here. Suggested Fix Type: Upgrade version Origin: https://nvd.nist.gov/vuln/detail/CVE-2021-23463 Release Date: 2021-12-10 Fix Resolution: com.h2database:h2:2.0.202 Step up your Open Source Security Game with WhiteSource here

All reactions mend-bolt-for-github bot added the Mend: dependency security vulnerability Security vulnerability detected by WhiteSource label Dec 17, 2021 mend-bolt-for-github bot changed the title CVE-2021-23463 (High) detected in h2-1.4.199.jar, h2-1.4.200.jar CVE-2021-23463 (High) detected in h2-1.4.199.jar, h2-1.4.200.jar - autoclosed Jan 4, 2022 Copy link Contributor Author

mend-bolt-for-github bot commented Jan 4, 2022

✔️ This issue was automatically closed by WhiteSource because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the WhiteSource inventory.

All reactions mend-bolt-for-github bot closed this as completed Jan 4, 2022 Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment Assignees No one assigned Labels Mend: dependency security vulnerability Security vulnerability detected by WhiteSource Projects None yet Milestone No milestone Development

No branches or pull requests

0 participants You can’t perform that action at this time.