org.apache.calcite.avatica:avatica-core@1.20.0 vulnerabilities

Direct Vulnerabilities

Known vulnerabilities in the org.apache.calcite.avatica:avatica-core package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.
Fix for free
Vulnerability Vulnerable Version
  • H
Arbitrary Code Execution

org.apache.calcite.avatica:avatica-core is a JDBC driver framework

Affected versions of this package are vulnerable to Arbitrary Code Execution when the JDBC driver fails to verify that a given client instance implements a permitted interface. This allows attackers to load arbitrary classes and thereby execute code.

Note: For this vulnerability to be exploited there must be a constructor class in the classpath with a URL parameter and the ability to execute code.

How to fix Arbitrary Code Execution?

Upgrade org.apache.calcite.avatica:avatica-core to version 1.22.0 or higher.

[,1.22.0)