{
  "threat_severity" : "Important",
  "public_date" : "2021-10-22T00:00:00Z",
  "bugzilla" : {
    "description" : "h2database: XXE injection vulnerability",
    "id" : "2033392",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2033392"
  },
  "cvss3" : {
    "cvss3_base_score" : "6.8",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:H",
    "status" : "draft"
  },
  "cwe" : "CWE-611",
  "details" : [ "The package com.h2database:h2 from 1.4.198 and before 2.0.202 are vulnerable to XML External Entity (XXE) Injection via the org.h2.jdbc.JdbcSQLXML class object, when it receives parsed string data from org.h2.jdbc.JdbcResultSet.getSQLXML() method. If it executes the getSource() method when the parameter is DOMSource.class it will trigger the vulnerability.", "A flaw was found in the h2database. This flaw allows an attacker to benefit from XML External Entity (XXE) Injection via the org.h2.jdbc.JdbcSQLXML class object. A user may trigger the vulnerability by sending malicious data." ],
  "package_state" : [ {
    "product_name" : "Red Hat build of Apicurio Registry 2",
    "fix_state" : "Affected",
    "package_name" : "com.h2database.h2",
    "cpe" : "cpe:/a:redhat:service_registry:2",
    "impact" : "low"
  }, {
    "product_name" : "Red Hat build of Quarkus",
    "fix_state" : "Affected",
    "package_name" : "com.h2database.h2",
    "cpe" : "cpe:/a:redhat:quarkus:2"
  }, {
    "product_name" : "Red Hat Fuse 7",
    "fix_state" : "Not affected",
    "package_name" : "com.h2database.h2",
    "cpe" : "cpe:/a:redhat:jboss_fuse:7"
  }, {
    "product_name" : "Red Hat Integration Service Registry",
    "fix_state" : "Out of support scope",
    "package_name" : "com.h2database.h2",
    "cpe" : "cpe:/a:redhat:integration:1"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2021-23463\nhttps://nvd.nist.gov/vuln/detail/CVE-2021-23463" ],
  "name" : "CVE-2021-23463",
  "csaw" : false
}