CVE-2021-23463 - XML External Entity (XXE) Injection

Severity: Low2022-02-08

Security Advisories


The package com.h2database:h2 from 1.4.198 and before 2.0.202 are vulnerable to XML External Entity (XXE) Injection via the org.h2.jdbc.JdbcSQLXML class object, when it receives parsed string data from org.h2.jdbc.JdbcResultSet.getSQLXML() method. If it executes the getSource() method when the parameter is DOMSource.class it will trigger the vulnerability.

The Oxygen License Server product incorporates com.h2database:h2 as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.

Affected Products/Versions

ProductSeverityFixed Release Availability
Oxygen License server v24.0 and older Low Oxygen License Server 24.0 build 2022020113





Severity: Critical

CVSS Score: 9.1

The com.h2database:h2 third-party library used by Oxygen XML products is an affected version mentioned in CVE-2021-23463 vulnerability description. However, this library is not used to parse XML data from untrusted sources. For that reason, we have rated the severity level for our products as low.

List of Security Advisories