Vulnerability CVE-2021-23463 in h2-1.4.200.jar

matthelliwell · December 20, 2021, 2:45pm

Liquibase 4.6.2 ships with h2-1.4.200.jar. This has a known vulnerability (NVD - CVE-2021-23463). As I am only running against MySQL, am I ok just to delete the jar from my installation?

nvoxland · December 20, 2021, 9:45pm

Yes, you can just delete it.

We ship with a variety of drivers, but none are actually used unless you are connecting to that database. It doesn’t hurt to delete it if you’d like, but it’s also dead code to you if you’re OK with just ignoring it.

We’re looking at upgrading, but it gets to be a breaking change for users with H2 1.4 so it’s not something we can just jump to.

Nathan

matthelliwell · December 21, 2021, 7:58am

Thanks, I’ll do that then. I assumed it was dead code but it’s being picked up by our vulnerability scanner so if I can stop the scanner complaining it makes my life easier.

nvoxland · January 7, 2022, 2:42pm

We are going to ship the newer version of the jar as part of the 4.7.0 release.

Nathan

Topic		Replies	Views
Liquibase 4.14 security vulnerabilities General Discussion	2	493	July 27, 2022
CVE-2022-0778 vulnerability in liquibase	6	2183	April 22, 2022
Liquibase 4.17.1 is now available! News and Announcements release , 417 , 4-17-1	1	1085	October 22, 2022
Log4J2 Vulnerability Does Not Affect Liquibase News and Announcements security , log4j2	0	733	December 14, 2021
Maria DB vulnerabilities	5	907	May 20, 2022

Free Tools

Cheat Sheets

eBooks

Comparison Guides

Vulnerability CVE-2021-23463 in h2-1.4.200.jar

Free Tools

Cheat Sheets

eBooks

Comparison Guides

Vulnerability CVE-2021-23463 in h2-1.4.200.jar

Related topics