org.apache.calcite:calcite-core@1.23.0 vulnerabilities

latest version

1.36.0
latest non vulnerable version

1.36.0
first published

10 years ago
latest version published

6 months ago
licenses detected
- Apache-2.0
  [0.9.1-incubating,)
package manager

View on Maven Repository

Report a new vulnerability Found a mistake?

Direct Vulnerabilities

Known vulnerabilities in the org.apache.calcite:calcite-core package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

Fix for free

Vulnerability Vulnerable Version

Vulnerability	Vulnerable Version
H XML External Entity (XXE) Injection org.apache.calcite:calcite-core is a Core Calcite APIs and engine. Affected versions of this package are vulnerable to XML External Entity (XXE) Injection via the SQL operators `EXISTS_NODE`, `EXTRACT_XML`, `XML_TRANSFORM` and `EXTRACT_VALUE` that do not restrict `XML External Entity` references in their configuration. Note: Users who expose these operators, typically by using Oracle dialect (for the first three) or MySQL dialect (for the last one), are affected by this vulnerability. How to fix XML External Entity (XXE) Injection? Upgrade `org.apache.calcite:calcite-core` to version 1.32.0 or higher.	[1.22.0,1.32.0)
H Man-in-the-Middle (MitM) org.apache.calcite:calcite-core is a Core Calcite APIs and engine. Affected versions of this package are vulnerable to Man-in-the-Middle (MitM). The `HttpUtils#getURLConnection` method disables explicitly hostname verification for HTTPS connections making clients vulnerable to man-in-the-middle attacks. Calcite uses this method internally to connect with Druid and Splunk so information leakage may happen when using the respective Calcite adapters. The method itself is in a utility class so people may use it to create vulnerable HTTPS connections for other applications. How to fix Man-in-the-Middle (MitM)? Upgrade `org.apache.calcite:calcite-core` to version 1.26 or higher.	[,1.26)

XML External Entity (XXE) Injection

org.apache.calcite:calcite-core is a Core Calcite APIs and engine.

Affected versions of this package are vulnerable to XML External Entity (XXE) Injection via the SQL operators EXISTS_NODE, EXTRACT_XML, XML_TRANSFORM and EXTRACT_VALUE that do not restrict XML External Entity references in their configuration.

Note: Users who expose these operators, typically by using Oracle dialect (for the first three) or MySQL dialect (for the last one), are affected by this vulnerability.

How to fix XML External Entity (XXE) Injection?

Upgrade org.apache.calcite:calcite-core to version 1.32.0 or higher.

[1.22.0,1.32.0)

Man-in-the-Middle (MitM)

org.apache.calcite:calcite-core is a Core Calcite APIs and engine.

Affected versions of this package are vulnerable to Man-in-the-Middle (MitM). The HttpUtils#getURLConnection method disables explicitly hostname verification for HTTPS connections making clients vulnerable to man-in-the-middle attacks. Calcite uses this method internally to connect with Druid and Splunk so information leakage may happen when using the respective Calcite adapters.

The method itself is in a utility class so people may use it to create vulnerable HTTPS connections for other applications.

How to fix Man-in-the-Middle (MitM)?

Upgrade org.apache.calcite:calcite-core to version 1.26 or higher.

[,1.26)

Go back to all versions of this package

org.apache.calcite:calcite-core@1.23.0 vulnerabilities

latest version

latest non vulnerable version

first published

latest version published

licenses detected

package manager

Direct Vulnerabilities