New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix for #3195 CQLXML XXE vulnerability #3199
Conversation
|
Hey @andreitokar looks like over two years since a release :O Anything that could be done to get this published? |
|
Can this security vulnerability fix be patched to the previous release as well? |
|
Same need here, please |
|
In researching this vulnerability, I found that the JdbcResultSet.getSQLXML() method is unsupported in all versions of H2 prior to 1.4.198. It appears that this only effects version 1.4.198 to 2.0.201, can we get the vulnerability updated so that it doesn't show that this effects older versions of H2? |
|
You probably need to ask the person who posted this vulnerability. |
|
The CVE-2021-23463 references this github page, I am not sure who reported or "confirmed" that it effected all previous versions of H2, but it is incorrect. I don't have access to the CVE page to make adjustments and I don't know who would. Maven uses the CVE report to tag builds with vulnerabilities, and so all of the maven builds are miss-tags on this page. |
|
You'd have to contact MITRE, they are the only ones who can update those entries. The person who requested the CVE likely said "all versions" which is very common to see in researcher and vendor disclosures, even if all versions were not tested. |
|
Only 1.4.198, 1.4.199, and 1.4.200 are affected. (There is no version with build id 201.) This vulnerability can only affect application when it calls one of these methods to read values from untrusted sources. If application doesn't call them (most applications don't call them), it is safe. If application calls them, but all XML values were generated by this application and they can't contain references to external pages, it is still safe. |
|
@andreitokar can this be backported to 1.4? Once we have a 1.4.201 release we can have Snyk and NIST adjust the CVE (did this before). |
|
See #3195 (comment) and related conversation |
Here is the fix #3195 , but I have no idea as to when it might be released.😞