cloudbeaver
cloudbeaver copied to clipboard
dbeaver
High and Critical CVEs in Cloudbeaver
Describe the bug Cloudbeaver has a couple of High CVEs because of the H2 dependency. The CVEs in question can be found in the Trivy scan result under additional context
Would it be possible to upgrade this dependency to get rid of the CVEs if they have been fixed upstream.
Not sure if this should be under features or bug reports.
To Reproduce Steps to reproduce the behavior:
- Run Trivy with the latest image of cloudbeaver.
Screenshots N/A
Desktop (please complete the following information): N/A
Additional context
+-------------------------------------+------------------+----------+-------------------+--------------------------------+---------------------------------------+
| LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE |
+-------------------------------------+------------------+----------+-------------------+--------------------------------+---------------------------------------+
| com.google.protobuf:protobuf-java | CVE-2021-22569 | HIGH | 3.6.1 | 3.19.2, 3.18.2, 3.16.1 | protobuf-java: potential DoS in the |
| | | | | | parsing procedure for binary data |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-22569 |
+-------------------------------------+------------------+----------+-------------------+--------------------------------+---------------------------------------+
| com.h2database:h2 | CVE-2021-42392 | CRITICAL | 1.4.199 | 2.0.206 | h2: Remote Code Execution in Console |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-42392 |
+ +------------------+ + +--------------------------------+---------------------------------------+
| | CVE-2022-23221 | | | 2.1.210 | Arbitrary code |
| | | | | | execution in H2 Console |
| | | | | | -->avd.aquasec.com/nvd/cve-2022-23221 |
+ +------------------+----------+ +--------------------------------+---------------------------------------+
| | CVE-2021-23463 | HIGH | | 2.0.202 | h2database: XXE |
| | | | | | injection vulnerability |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-23463 |
+-------------------------------------+------------------+ +-------------------+--------------------------------+---------------------------------------+
| org.apache.commons:commons-compress | CVE-2019-12402 | | 1.18 | 1.19 | apache-commons-compress: Infinite |
| | | | | | loop in name encoding algorithm |
| | | | | | -->avd.aquasec.com/nvd/cve-2019-12402 |
+ +------------------+ + +--------------------------------+---------------------------------------+
| | CVE-2021-35515 | | | 1.21 | apache-commons-compress: |
| | | | | | infinite loop when reading a |
| | | | | | specially crafted 7Z archive |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-35515 |
+ +------------------+ + + +---------------------------------------+
| | CVE-2021-35516 | | | | apache-commons-compress: excessive |
| | | | | | memory allocation when reading |
| | | | | | a specially crafted 7Z archive |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-35516 |
+ +------------------+ + + +---------------------------------------+
| | CVE-2021-35517 | | | | apache-commons-compress: excessive |
| | | | | | memory allocation when reading |
| | | | | | a specially crafted TAR archive |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-35517 |
+ +------------------+ + + +---------------------------------------+
| | CVE-2021-36090 | | | | apache-commons-compress: excessive |
| | | | | | memory allocation when reading |
| | | | | | a specially crafted ZIP archive |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-36090 |
+-------------------------------------+------------------+ +-------------------+--------------------------------+---------------------------------------+
| org.eclipse.jetty:jetty-http | CVE-2020-27216 | | 10.0.6 | 9.3.29.v20201019, | jetty: local temporary directory |
| | | | | 9.4.32.v20200930, 11.0.1 | hijacking vulnerability |
| | | | | | -->avd.aquasec.com/nvd/cve-2020-27216 |
+-------------------------------------+ + + + + +
| org.eclipse.jetty:jetty-server | | | | | |
| | | | | | |
| | | | | | |
+-------------------------------------+ + + + + +
| org.eclipse.jetty:jetty-util | | | | | |
| | | | | | |
| | | | | | |
+-------------------------------------+------------------+----------+-------------------+--------------------------------+---------------------------------------+
Unfortunately it is not that easy to upgrade H2 driver. H2 2.x database format is not compatible with 1.x format. Upgrade will require to recreate CloudBeaver embedded database (thus loose all user permissions and some other config). Potentially it is possible to upgrade database file version automatically, I'm investigating this possibility.
Note: H2 vulnerabilities are not applicable to CloudBeaver. CloudBeaver uses H2 embedded database to store some configurational data (e.g. user permissions).
- CloudBeaver doesn't expose H2 console at all thus CVE-2021-42392 and CVE-2022-23221 can't occur.
- CVE-2021-23463 is related to XML data type and may be applicable in case of SQL injection. CloudBeaver doesn't use XML data tyes for embedded databases.
If you want to modify the h2 database, I managed to change it to the PostgreSQL database https://github.com/dbeaver/cloudbeaver/issues/1148 hope it helps you
