[
https://issues.apache.org/jira/browse/HIVE-26566?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Naveen Gangam reassigned HIVE-26566:
Assignee: Naveen Gangam (was: Stamatis Zampetakis)
> Upgrade H2 database version to 2.1.214
> --
>
> Key: HIVE-26566
> URL: https://issues.apache.org/jira/browse/HIVE-26566
> Project: Hive
> Issue Type: Task
> Components: Testing Infrastructure
>Reporter: Stamatis Zampetakis
>Assignee: Naveen Gangam
>Priority: Minor
> Labels: pull-request-available
> Fix For: 4.0.0, 4.0.0-alpha-1
>
>
> CVE-2021-23463 (CRITICAL severity) - The package com.h2database:h2 from
> 1.4.198 and before 2.0.202 are vulnerable to XML External Entity (XXE)
> Injection via the org.h2.jdbc.JdbcSQLXML class object, when it receives
> parsed string data from org.h2.jdbc.JdbcResultSet.getSQLXML() method. If it
> executes the getSource() method when the parameter is DOMSource.class it will
> trigger the vulnerability.
> CVE-2021-42392 (CRITICAL severity) - The org.h2.util.JdbcUtils.getConnection
> method of the H2 database takes as parameters the class name of the driver
> and URL of the database. An attacker may pass a JNDI driver name and a URL
> leading to a LDAP or RMI servers, causing remote code execution. This can be
> exploited through various attack vectors, most notably through the H2 Console
> which leads to unauthenticated remote code execution.
> CVE-2022-23221 (CRITICAL severity) - H2 Console before 2.1.210 allows remote
> attackers to execute arbitrary code via a jdbc:h2:mem JDBC URL containing the
> IGNORE_UNKNOWN_SETTINGS=TRUE;FORBID_CREATION=FALSE;INIT=RUNSCRIPT substring,
> a different vulnerability than CVE-2021-42392.
> these have been addressed in 2.1.214
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
