doobie icon indicating copy to clipboard operation
doobie copied to clipboard
verified publisher icon tpolecat

Upgrade H2 to resolve security vulnerabilities

Open AdamDz opened this issue 9 months ago • 1 comments

The H2 module in Doobie depends on H2 version 1.4.200.

This version has critical security vulnerabilities that are reported by dependency scanners:

  1. CVE-2021-23463 XML External Entity (XXE) Injection via the org.h2.jdbc.JdbcSQLXML class object
  2. CVE-2022-23221 Allows remote attackers to execute arbitrary code via a jdbc:h2:mem JDBC URL
  3. CVE-2021-42392 An attacker may pass a JNDI driver name and a URL leading to a LDAP or RMI servers, causing remote code execution.

These vulnerabilities do not exist in the version 2.1.210 or above. There is no H2 version in the 1.x line which is free of these vulnerabilities, which could be swapped easily on a per-project basis.

AdamDz avatar Mar 19 '25 14:03 AdamDz

HI there,

Looks interesting issue,

I would be glad to address this issue.

Could you assign me.

Thank You.

SanjayUG avatar Mar 22 '25 15:03 SanjayUG

I'll address this one.

sharmaakshay177 avatar Jul 18 '25 15:07 sharmaakshay177