[GH-ISSUE #632] High and Critical CVEs in Cloudbeaver #176

New issue

Closed

opened 2026-03-07 20:45:43 +03:00 by kerem · 5 comments

kerem commented 2026-03-07 20:45:43 +03:00

Owner

Copy link

Originally created by @PatrickDerichs on GitHub (Jan 24, 2022).
Original GitHub issue: https://github.com/dbeaver/cloudbeaver/issues/632

Describe the bug
Cloudbeaver has a couple of High CVEs because of the H2 dependency. The CVEs in question can be found in the Trivy scan result under additional context

Would it be possible to upgrade this dependency to get rid of the CVEs if they have been fixed upstream.

Not sure if this should be under features or bug reports.

To Reproduce
Steps to reproduce the behavior:

1. Run Trivy with the latest image of cloudbeaver.

Screenshots
N/A

Desktop (please complete the following information):
N/A

Additional context

+-------------------------------------+------------------+----------+-------------------+--------------------------------+---------------------------------------+
|               LIBRARY               | VULNERABILITY ID | SEVERITY | INSTALLED VERSION |         FIXED VERSION          |                 TITLE                 |
+-------------------------------------+------------------+----------+-------------------+--------------------------------+---------------------------------------+
| com.google.protobuf:protobuf-java   | CVE-2021-22569   | HIGH     | 3.6.1             | 3.19.2, 3.18.2, 3.16.1         | protobuf-java: potential DoS in the   |
|                                     |                  |          |                   |                                | parsing procedure for binary data     |
|                                     |                  |          |                   |                                | -->avd.aquasec.com/nvd/cve-2021-22569 |
+-------------------------------------+------------------+----------+-------------------+--------------------------------+---------------------------------------+
| com.h2database:h2                   | CVE-2021-42392   | CRITICAL | 1.4.199           | 2.0.206                        | h2: Remote Code Execution in Console  |
|                                     |                  |          |                   |                                | -->avd.aquasec.com/nvd/cve-2021-42392 |
+                                     +------------------+          +                   +--------------------------------+---------------------------------------+
|                                     | CVE-2022-23221   |          |                   | 2.1.210                        | Arbitrary code                        |
|                                     |                  |          |                   |                                | execution in H2 Console               |
|                                     |                  |          |                   |                                | -->avd.aquasec.com/nvd/cve-2022-23221 |
+                                     +------------------+----------+                   +--------------------------------+---------------------------------------+
|                                     | CVE-2021-23463   | HIGH     |                   | 2.0.202                        | h2database: XXE                       |
|                                     |                  |          |                   |                                | injection vulnerability               |
|                                     |                  |          |                   |                                | -->avd.aquasec.com/nvd/cve-2021-23463 |
+-------------------------------------+------------------+          +-------------------+--------------------------------+---------------------------------------+
| org.apache.commons:commons-compress | CVE-2019-12402   |          |              1.18 |                           1.19 | apache-commons-compress: Infinite     |
|                                     |                  |          |                   |                                | loop in name encoding algorithm       |
|                                     |                  |          |                   |                                | -->avd.aquasec.com/nvd/cve-2019-12402 |
+                                     +------------------+          +                   +--------------------------------+---------------------------------------+
|                                     | CVE-2021-35515   |          |                   |                           1.21 | apache-commons-compress:              |
|                                     |                  |          |                   |                                | infinite loop when reading a          |
|                                     |                  |          |                   |                                | specially crafted 7Z archive          |
|                                     |                  |          |                   |                                | -->avd.aquasec.com/nvd/cve-2021-35515 |
+                                     +------------------+          +                   +                                +---------------------------------------+
|                                     | CVE-2021-35516   |          |                   |                                | apache-commons-compress: excessive    |
|                                     |                  |          |                   |                                | memory allocation when reading        |
|                                     |                  |          |                   |                                | a specially crafted 7Z archive        |
|                                     |                  |          |                   |                                | -->avd.aquasec.com/nvd/cve-2021-35516 |
+                                     +------------------+          +                   +                                +---------------------------------------+
|                                     | CVE-2021-35517   |          |                   |                                | apache-commons-compress: excessive    |
|                                     |                  |          |                   |                                | memory allocation when reading        |
|                                     |                  |          |                   |                                | a specially crafted TAR archive       |
|                                     |                  |          |                   |                                | -->avd.aquasec.com/nvd/cve-2021-35517 |
+                                     +------------------+          +                   +                                +---------------------------------------+
|                                     | CVE-2021-36090   |          |                   |                                | apache-commons-compress: excessive    |
|                                     |                  |          |                   |                                | memory allocation when reading        |
|                                     |                  |          |                   |                                | a specially crafted ZIP archive       |
|                                     |                  |          |                   |                                | -->avd.aquasec.com/nvd/cve-2021-36090 |
+-------------------------------------+------------------+          +-------------------+--------------------------------+---------------------------------------+
| org.eclipse.jetty:jetty-http        | CVE-2020-27216   |          | 10.0.6            | 9.3.29.v20201019,              | jetty: local temporary directory      |
|                                     |                  |          |                   | 9.4.32.v20200930, 11.0.1       | hijacking vulnerability               |
|                                     |                  |          |                   |                                | -->avd.aquasec.com/nvd/cve-2020-27216 |
+-------------------------------------+                  +          +                   +                                +                                       +
| org.eclipse.jetty:jetty-server      |                  |          |                   |                                |                                       |
|                                     |                  |          |                   |                                |                                       |
|                                     |                  |          |                   |                                |                                       |
+-------------------------------------+                  +          +                   +                                +                                       +
| org.eclipse.jetty:jetty-util        |                  |          |                   |                                |                                       |
|                                     |                  |          |                   |                                |                                       |
|                                     |                  |          |                   |                                |                                       |
+-------------------------------------+------------------+----------+-------------------+--------------------------------+---------------------------------------+

Originally created by @PatrickDerichs on GitHub (Jan 24, 2022). Original GitHub issue: https://github.com/dbeaver/cloudbeaver/issues/632 **Describe the bug** Cloudbeaver has a couple of High CVEs because of the H2 dependency. The CVEs in question can be found in the Trivy scan result under additional context Would it be possible to upgrade this dependency to get rid of the CVEs if they have been fixed upstream. Not sure if this should be under features or bug reports. **To Reproduce** Steps to reproduce the behavior: 1. Run Trivy with the latest image of cloudbeaver. **Screenshots** N/A **Desktop (please complete the following information):** N/A **Additional context** ``` +-------------------------------------+------------------+----------+-------------------+--------------------------------+---------------------------------------+ | LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE | +-------------------------------------+------------------+----------+-------------------+--------------------------------+---------------------------------------+ | com.google.protobuf:protobuf-java | CVE-2021-22569 | HIGH | 3.6.1 | 3.19.2, 3.18.2, 3.16.1 | protobuf-java: potential DoS in the | | | | | | | parsing procedure for binary data | | | | | | | -->avd.aquasec.com/nvd/cve-2021-22569 | +-------------------------------------+------------------+----------+-------------------+--------------------------------+---------------------------------------+ | com.h2database:h2 | CVE-2021-42392 | CRITICAL | 1.4.199 | 2.0.206 | h2: Remote Code Execution in Console | | | | | | | -->avd.aquasec.com/nvd/cve-2021-42392 | + +------------------+ + +--------------------------------+---------------------------------------+ | | CVE-2022-23221 | | | 2.1.210 | Arbitrary code | | | | | | | execution in H2 Console | | | | | | | -->avd.aquasec.com/nvd/cve-2022-23221 | + +------------------+----------+ +--------------------------------+---------------------------------------+ | | CVE-2021-23463 | HIGH | | 2.0.202 | h2database: XXE | | | | | | | injection vulnerability | | | | | | | -->avd.aquasec.com/nvd/cve-2021-23463 | +-------------------------------------+------------------+ +-------------------+--------------------------------+---------------------------------------+ | org.apache.commons:commons-compress | CVE-2019-12402 | | 1.18 | 1.19 | apache-commons-compress: Infinite | | | | | | | loop in name encoding algorithm | | | | | | | -->avd.aquasec.com/nvd/cve-2019-12402 | + +------------------+ + +--------------------------------+---------------------------------------+ | | CVE-2021-35515 | | | 1.21 | apache-commons-compress: | | | | | | | infinite loop when reading a | | | | | | | specially crafted 7Z archive | | | | | | | -->avd.aquasec.com/nvd/cve-2021-35515 | + +------------------+ + + +---------------------------------------+ | | CVE-2021-35516 | | | | apache-commons-compress: excessive | | | | | | | memory allocation when reading | | | | | | | a specially crafted 7Z archive | | | | | | | -->avd.aquasec.com/nvd/cve-2021-35516 | + +------------------+ + + +---------------------------------------+ | | CVE-2021-35517 | | | | apache-commons-compress: excessive | | | | | | | memory allocation when reading | | | | | | | a specially crafted TAR archive | | | | | | | -->avd.aquasec.com/nvd/cve-2021-35517 | + +------------------+ + + +---------------------------------------+ | | CVE-2021-36090 | | | | apache-commons-compress: excessive | | | | | | | memory allocation when reading | | | | | | | a specially crafted ZIP archive | | | | | | | -->avd.aquasec.com/nvd/cve-2021-36090 | +-------------------------------------+------------------+ +-------------------+--------------------------------+---------------------------------------+ | org.eclipse.jetty:jetty-http | CVE-2020-27216 | | 10.0.6 | 9.3.29.v20201019, | jetty: local temporary directory | | | | | | 9.4.32.v20200930, 11.0.1 | hijacking vulnerability | | | | | | | -->avd.aquasec.com/nvd/cve-2020-27216 | +-------------------------------------+ + + + + + | org.eclipse.jetty:jetty-server | | | | | | | | | | | | | | | | | | | | +-------------------------------------+ + + + + + | org.eclipse.jetty:jetty-util | | | | | | | | | | | | | | | | | | | | +-------------------------------------+------------------+----------+-------------------+--------------------------------+---------------------------------------+ ```

kerem 2026-03-07 20:45:43 +03:00

• closed this issue
• added the
  x:h2
  label

kerem commented 2026-03-07 20:45:44 +03:00

Author

Owner

Copy link

@kseniiaguzeeva commented on GitHub (Jan 26, 2022):

Thank you for the report, we are going to update H2 driver.

<!-- gh-comment-id:1022149506 --> @kseniiaguzeeva commented on GitHub (Jan 26, 2022): Thank you for the report, we are going to update H2 driver.

kerem commented 2026-03-07 20:45:44 +03:00

Author

Owner

Copy link

@serge-rider commented on GitHub (Jan 27, 2022):

Unfortunately it is not that easy to upgrade H2 driver.
H2 2.x database format is not compatible with 1.x format. Upgrade will require to recreate CloudBeaver embedded database (thus loose all user permissions and some other config).
Potentially it is possible to upgrade database file version automatically, I'm investigating this possibility.

<!-- gh-comment-id:1023006869 --> @serge-rider commented on GitHub (Jan 27, 2022): Unfortunately it is not that easy to upgrade H2 driver. H2 2.x database format is not compatible with 1.x format. Upgrade will require to recreate CloudBeaver embedded database (thus loose all user permissions and some other config). Potentially it is possible to upgrade database file version automatically, I'm investigating this possibility.

kerem commented 2026-03-07 20:45:44 +03:00

Author

Owner

Copy link

@serge-rider commented on GitHub (Jan 27, 2022):

Note: H2 vulnerabilities are not applicable to CloudBeaver.
CloudBeaver uses H2 embedded database to store some configurational data (e.g. user permissions).

• CloudBeaver doesn't expose H2 console at all thus CVE-2021-42392 and CVE-2022-23221 can't occur.
• CVE-2021-23463 is related to XML data type and may be applicable in case of SQL injection. CloudBeaver doesn't use XML data tyes for embedded databases.

<!-- gh-comment-id:1023314108 --> @serge-rider commented on GitHub (Jan 27, 2022): Note: H2 vulnerabilities are not applicable to CloudBeaver. CloudBeaver uses H2 embedded database to store some configurational data (e.g. user permissions). - CloudBeaver doesn't expose H2 console at all thus CVE-2021-42392 and CVE-2022-23221 can't occur. - CVE-2021-23463 is related to XML data type and may be applicable in case of SQL injection. CloudBeaver doesn't use XML data tyes for embedded databases.

kerem commented 2026-03-07 20:45:44 +03:00

Author

Owner

Copy link

@miltonchirinos44 commented on GitHub (Sep 22, 2022):

If you want to modify the h2 database, I managed to change it to the PostgreSQL database https://github.com/dbeaver/cloudbeaver/issues/1148 hope it helps you

<!-- gh-comment-id:1255471027 --> @miltonchirinos44 commented on GitHub (Sep 22, 2022): If you want to modify the h2 database, I managed to change it to the PostgreSQL database https://github.com/dbeaver/cloudbeaver/issues/1148 hope it helps you

kerem commented 2026-03-07 20:45:44 +03:00

Author

Owner

Copy link

@TatyanaSsau commented on GitHub (Apr 10, 2023):

Fixed version 23.0.2.

Thank you for the interest in CloudBeaver!!!

<!-- gh-comment-id:1501509386 --> @TatyanaSsau commented on GitHub (Apr 10, 2023): Fixed version 23.0.2. Thank you for the interest in CloudBeaver!!!

kerem referenced this issue 2026-03-07 21:04:20 +03:00

[PR #176] [MERGED] fix(core-dialog): dialog backdrop onClick => onMouseDown #1506

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

devel

dbeaver/cloudbeaver#4120-support-token-header

dbeaver/pro#8978-advanced-paste

dbeaver/pro#5680-add-generation-rest-api-for-te

8961-cb-checkboxes-are-not-clickable-in-main-toolbar-dropdown-menu

dbeaver/pro#9047-cb-explain-execution-plan-ai

8328-cb-sql-query-generation-add-settings-for-the-generated-sql-window

8473-ai-confirmation

8107-cb-increase-the-contrast-of-some-elements

dbeaver/cloudbeaver#4249-session-id-rotation

dbeaver/pro#8234-udbt-only-for-admins

dbeaver/pro#9061-NPE-on-starting-RM-and-QM-applications

dbeaver/pro#8707-remove-folder-feature

dbeaver/pro#8766-migrate-to-junit5

dbeaver/pro#8711-sql-executation-plan-improvments

9048-cb-deadlock

release_26_0_3

dbeaver/pro#8044-add-api-for-database-user-preference

8839-entraid-not-working-from-within-myappsmicrosoftcom

8559-te-launch-redesign

8670-cb-multi-paste-support-in-data-editor-3

8943-cb-bump-npm-dependencies

dbeaver/pro#8655-cb-ai-functions-support

dbeaver/pro#8746-oauth

dbeaver/pro#8824-Unify-file-lock-handling-for-local-and-shared-fs

7912-db-oauth-in-te

dbeaver/pro#4158-tree-advanced-filter

dbeaver/dbeaver-devops#1604-non-root-user-25-2

dbeaver/pro#5124-fix-case-insensetive-username-in-import

3815-ctrl-z-is-unstable-lib-523-version

8894-ai-assistant-cache

dbeaver/pro#8896-Remove-added-h2_server_v3

release_26_0_2

dbeaver/pro#8392-Add-H2-driver-with-the-newest-version

8065-lsp-front-end

release_26_0_1

dbeaver/pro#7844-cb-lsp-server

dbeaver/pro#7530-csp-protection

release_26_0_0

release_25_3_5

release_25_3_4

release_25_3_3

7953-cb-ability-to-pin-rows-in-the-data-editor

devops-2221-base-java-repo

7923-cb-ws-events-are-misconfigured

release_25_3_2

release_25_3_1

release_25_3_0

release_25_2_5

dbeaver/pro#5267/auth-providers-refactoring

dbeaver/pro#6364-add-option-to-set-default-view-for-project

release_25_2_4

dbeaver/pro#5476-task-scheduler-refactor

release_25_2_3

7128-remove-deprecated-api

release_25_2_0

release_25_2_1

release_25_2_2

4569-cb-3681-use-something-better-than-md5-hash-to-pass-local-user-passwords

dbeaver/dbeaver-devops#1604-non-root-user-without-user-in-image

dbeaver/pro#6976-logging-poc

dbeaver/pro#6324-cursor-sync

dbeaver/pro#5630-add-cache-for-queries

dbeaver/pro#5574/fix/multi-query-vqb

dbeaver/pro#5802/feat/table-api

5664-cb-vscode-value-panel-support-text-format

CB-6291-build-local-script-do-not-clone-all-required-repos-for-successful-build

4288-core-fix-critical-cve-2022-0839-and-cve-2022-0839-in-liquibase-bundle

3944-model-data

4207-core-duplicate-cb-session-id-in-dc-side

chore/update-vite-assets-plugin

25.1.5

25.1.4

25.1.3

25.1.2

25.1.1

25.1.0

25.0.5

25.0.4

25.0.3

25.0.2

25.0.1

25.0.0

24.3.5

24.3.4

24.3.3

24.3.2

24.3.0

24.3.1

24.2.5

24.2.4

24.2.3

24.2.2

24.2.1

24.2.0

24.1.5

24.1.4

24.1.3

24.1.2

24.1.0

24.1.1

24.0.5

24.0.4

24.0.3

24.0.2

24.0.1

24.0.0

23.3.5

23.3.4

23.3.3

23.3.2

23.3.1

23.3.0

23.2.5

23.2.4

23.2.3

23.2.2

23.2.1

23.2.0

23.1.5

23.1.4

23.1.3

23.1.2

23.1.1

v23.1.0

v23_0_5

21.3.3

21.2.4

1.2.0

1.1.0

1.0.4

1.0.3

1.0.1b

1.0.2

1.0.1

1.0.0

Labels

Clear labels   

AS

  

can't reproduce

  

can't reproduce

  

deployment

  

development

  

documentation

  

duplicate

  

duplicate

  

ee

  

enhancement

  

external

  

new driver

  

performance

  

pull-request

Mirrored from GitHub Pull Request

  

third party issue

  

wait for response

  

wait for review

  

wontfix

  

x:Oracle

  

x:cassandra

  

x:clickhouse

  

x:db2

  

x:duckdb

  

x:greenplum

  

x:h2

  

x:h2gis

  

x:hana

  

x:hive

  

x:intersystems

  

x:kyuubi

  

x:maria

  

x:mongo

  

x:mysql

  

x:postgresql

  

x:presto

  

x:sql server

  

x:sqlite

  

x:teradata

  

x:trino

  

xf:accessibility

  

xf:administration

  

xf:ai

  

xf:authentication

  

xf:aws

  

xf:commit-mode

  

xf:connection

  

xf:dark theme

  

xf:data editor

  

xf:datatransfer

  

xf:dba

  

xf:driver management

  

xf:erd

  

xf:filters

  

xf:i18n

  

xf:i18n

  

xf:installer

  

xf:json

  

xf:kerberos

  

xf:ldap

  

xf:local config

  

xf:log viewer

  

xf:metadata

  

xf:metadata editor

  

xf:navigator

  

xf:okta

  

xf:query manager

  

xf:resource manager

  

xf:scripts

  

xf:sql editor

  

xf:tasks

  

xf:ui/uix

  

xo: Firefox

  

xo:eclipse

  

xo:internet explorer

  

xo:macos

  

xp:major

  

xrn:internal

No labels

AS

can't reproduce

can't reproduce

deployment

development

documentation

duplicate

duplicate

ee

enhancement

external

new driver

performance

pull-request

third party issue

wait for response

wait for review

wontfix

x:Oracle

x:cassandra

x:clickhouse

x:db2

x:duckdb

x:greenplum

x:h2

x:h2gis

x:hana

x:hive

x:intersystems

x:kyuubi

x:maria

x:mongo

x:mysql

x:postgresql

x:presto

x:sql server

x:sqlite

x:teradata

x:trino

xf:accessibility

xf:administration

xf:ai

xf:authentication

xf:aws

xf:commit-mode

xf:connection

xf:dark theme

xf:data editor

xf:datatransfer

xf:dba

xf:driver management

xf:erd

xf:filters

xf:i18n

xf:i18n

xf:installer

xf:json

xf:kerberos

xf:ldap

xf:local config

xf:log viewer

xf:metadata

xf:metadata editor

xf:navigator

xf:okta

xf:query manager

xf:resource manager

xf:scripts

xf:sql editor

xf:tasks

xf:ui/uix

xo: Firefox

xo:eclipse

xo:internet explorer

xo:macos

xp:major

xrn:internal

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/cloudbeaver#176

No description provided.