Update for CVE-2021-2471 ?

Question

Update for CVE-2021-2471 ?

dennisbulgatz opened this issue 3 years ago · 1 comments

Question.. is anyone working to address CVE-2021-2471 ?

Per CVE-2021-2471, mysql-connector-java ≤ 8.0.26 is vulnerable to an XML attack. From Snyk:

mysql:mysql-connector-java is a provides connectivity for client applications developed in the Java programming language with MySQL Connector/J, a driver that implements the Java Database Connectivity (JDBC) API.

Affected versions of this package are vulnerable to XML External Entity (XXE) Injection via the getSource() method, due to a missing check for external entities

Mitigation steps

Upgrade mysql-connector-java to 8.0.27 or higher

Answer 1 · 2022-01-08T16:07:21.000Z

we pushed jdbc-mysql 8.0.27 however please note that using a library does not mean being exposed.
in AR-JDBC (and thus any JRuby on Rails app) we do not use getSource for XML from the JDBC API.