Upgrade H2 to resolve security vulnerabilities #2223
Description
The H2 module in Doobie depends on H2 version 1.4.200.
This version has critical security vulnerabilities that are reported by dependency scanners:
- CVE-2021-23463 XML External Entity (XXE) Injection via the org.h2.jdbc.JdbcSQLXML class object
- CVE-2022-23221 Allows remote attackers to execute arbitrary code via a jdbc:h2:mem JDBC URL
- CVE-2021-42392 An attacker may pass a JNDI driver name and a URL leading to a LDAP or RMI servers, causing remote code execution.
These vulnerabilities do not exist in the version 2.1.210 or above.
There is no H2 version in the 1.x line which is free of these vulnerabilities, which could be swapped easily on a per-project basis.