Vulnerability	Vulnerable Version
H Man-in-the-Middle (MitM) org.apache.calcite:calcite-core is a Core Calcite APIs and engine. Affected versions of this package are vulnerable to Man-in-the-Middle (MitM). The `HttpUtils#getURLConnection` method disables explicitly hostname verification for HTTPS connections making clients vulnerable to man-in-the-middle attacks. Calcite uses this method internally to connect with Druid and Splunk so information leakage may happen when using the respective Calcite adapters. The method itself is in a utility class so people may use it to create vulnerable HTTPS connections for other applications. How to fix Man-in-the-Middle (MitM)? Upgrade `org.apache.calcite:calcite-core` to version 1.26 or higher.	[,1.26)

Man-in-the-Middle (MitM)

org.apache.calcite:calcite-core is a Core Calcite APIs and engine.

Affected versions of this package are vulnerable to Man-in-the-Middle (MitM). The HttpUtils#getURLConnection method disables explicitly hostname verification for HTTPS connections making clients vulnerable to man-in-the-middle attacks. Calcite uses this method internally to connect with Druid and Splunk so information leakage may happen when using the respective Calcite adapters.

The method itself is in a utility class so people may use it to create vulnerable HTTPS connections for other applications.

How to fix Man-in-the-Middle (MitM)?

Upgrade org.apache.calcite:calcite-core to version 1.26 or higher.

[,1.26)

Go back to all versions of this package