Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix for #3195 CQLXML XXE vulnerability #3199

Merged
merged 1 commit into from Nov 5, 2021

Conversation

andreitokar
Copy link
Contributor

Here is the fix #3195 , but I have no idea as to when it might be released. 😞

@andreitokar andreitokar merged commit 7966835 into h2database:master Nov 5, 2021
3 checks passed
@andreitokar andreitokar deleted the issue_3195 branch November 5, 2021 03:21
@husseyd
Copy link

husseyd commented Nov 5, 2021

Hey @andreitokar looks like over two years since a release :O

Anything that could be done to get this published?

@husseyd husseyd mentioned this pull request Nov 5, 2021
@drealeed
Copy link

drealeed commented Nov 8, 2021

Can this security vulnerability fix be patched to the previous release as well?

@cdarau
Copy link

cdarau commented Nov 10, 2021

Same need here, please

@srakonjac-nq srakonjac-nq mentioned this pull request Nov 11, 2021
wclarkpk added a commit to wclarkpk/h2database that referenced this pull request Dec 21, 2021
@shapirobh
Copy link

In researching this vulnerability, I found that the JdbcResultSet.getSQLXML() method is unsupported in all versions of H2 prior to 1.4.198. It appears that this only effects version 1.4.198 to 2.0.201, can we get the vulnerability updated so that it doesn't show that this effects older versions of H2?

@andreitokar
Copy link
Contributor Author

You probably need to ask the person who posted this vulnerability.

@shapirobh
Copy link

The CVE-2021-23463 references this github page, I am not sure who reported or "confirmed" that it effected all previous versions of H2, but it is incorrect. I don't have access to the CVE page to make adjustments and I don't know who would.

Maven uses the CVE report to tag builds with vulnerabilities, and so all of the maven builds are miss-tags on this page.

@attritionorg
Copy link

You'd have to contact MITRE, they are the only ones who can update those entries. The person who requested the CVE likely said "all versions" which is very common to see in researcher and vendor disclosures, even if all versions were not tested.

@katzyn
Copy link
Contributor

katzyn commented Dec 30, 2021

Only 1.4.198, 1.4.199, and 1.4.200 are affected. (There is no version with build id 201.)

This vulnerability can only affect application when it calls one of these methods to read values from untrusted sources. If application doesn't call them (most applications don't call them), it is safe. If application calls them, but all XML values were generated by this application and they can't contain references to external pages, it is still safe.

@marcelstoer
Copy link
Contributor

@andreitokar can this be backported to 1.4? Once we have a 1.4.201 release we can have Snyk and NIST adjust the CVE (did this before).

@chadlwilson
Copy link

See #3195 (comment) and related conversation

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Report a H2-Database-Engine SQLXML XXE vulnerability
9 participants