Giters

OpenAS2 / OpenAs2App

OpenAS2 is a java-based implementation of the EDIINT AS2 standard. It is intended to be used as a server. It is extremely configurable and supports a wide variety of signing and encryption algorithms.

Home Page:https://sourceforge.net/projects/openas2/

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

CVE-2021-23463

jbrenaudin opened this issue · comments

commented

Could you please update the h2 library because there is a vulnerability (High severity) with the version 1.4.200 : https://nvd.nist.gov/vuln/detail/CVE-2021-23463

CVE : CVE-2021-23463
Priority : high severity
Vulnerable versions: < 2.0.202
Patched version: 2.0.202
The package com.h2database:h2 from 0 and before 2.0.202 are vulnerable to XML External Entity (XXE) Injection via the org.h2.jdbc.JdbcSQLXML class object, when it receives parsed string data from org.h2.jdbc.JdbcResultSet.getSQLXML() method. If it executes the getSource() method when the parameter is DOMSource.class it will trigger the vulnerability.

Thanks

commented

This will be patched in the next reelase.
The XML capabilities of H2 are not used in OpenAS2 so is not an active threat.

commented

Thanks a lot.