Vulnerability CVE-2021-23463 in h2-1.4.200.jar

Liquibase 4.6.2 ships with h2-1.4.200.jar. This has a known vulnerability (NVD - CVE-2021-23463). As I am only running against MySQL, am I ok just to delete the jar from my installation?

Yes, you can just delete it.

We ship with a variety of drivers, but none are actually used unless you are connecting to that database. It doesn’t hurt to delete it if you’d like, but it’s also dead code to you if you’re OK with just ignoring it.

We’re looking at upgrading, but it gets to be a breaking change for users with H2 1.4 so it’s not something we can just jump to.


1 Like

Thanks, I’ll do that then. I assumed it was dead code but it’s being picked up by our vulnerability scanner so if I can stop the scanner complaining it makes my life easier.

We are going to ship the newer version of the jar as part of the 4.7.0 release.