org.apache.polaris:polaris-core 1.2.0-incubating

Direct Vulnerabilities

Known vulnerabilities in the org.apache.polaris:polaris-core package. This does not include vulnerabilities belonging to this package’s dependencies.

Fix vulnerabilities automatically

Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

Fix for free

Vulnerability	Vulnerable Version
H Improper Encoding or Escaping of Output org.apache.polaris:polaris-core is an a catalog for data lakes. It provides new levels of choice, flexibility and control over data, with full enterprise security and Apache Iceberg interoperability across a multitude of engines and infrastructure Affected versions of this package are vulnerable to Improper Encoding or Escaping of Output through the handling of namespace and table names containing wildcard characters in the process of generating temporary S3 access policies. An attacker can gain unauthorized access to metadata and data of other tables, including reading, listing, creating, and deleting objects in S3 storage, by crafting namespace or table names with wildcard characters that are interpreted as wildcards in S3 IAM policies. How to fix Improper Encoding or Escaping of Output? Upgrade `org.apache.polaris:polaris-core` to version 1.4.1 or higher.	[,1.4.1)
H Expression Language Injection org.apache.polaris:polaris-core is an a catalog for data lakes. It provides new levels of choice, flexibility and control over data, with full enterprise security and Apache Iceberg interoperability across a multitude of engines and infrastructure Affected versions of this package are vulnerable to Expression Language Injection via unescaped content in the construction of Credential Access Boundary (CAB) CEL conditions. An attacker can gain unauthorized access to files and objects across the entire configured Google Cloud Storage bucket by supplying a crafted namespace or table identifier containing special characters that break out of the intended path restriction. How to fix Expression Language Injection? Upgrade `org.apache.polaris:polaris-core` to version 1.4.1 or higher.	[,1.4.1)

Vulnerability

Vulnerable Version

Improper Encoding or Escaping of Output

org.apache.polaris:polaris-core is an a catalog for data lakes. It provides new levels of choice, flexibility and control over data, with full enterprise security and Apache Iceberg interoperability across a multitude of engines and infrastructure

Affected versions of this package are vulnerable to Improper Encoding or Escaping of Output through the handling of namespace and table names containing wildcard characters in the process of generating temporary S3 access policies. An attacker can gain unauthorized access to metadata and data of other tables, including reading, listing, creating, and deleting objects in S3 storage, by crafting namespace or table names with wildcard characters that are interpreted as wildcards in S3 IAM policies.

How to fix Improper Encoding or Escaping of Output?

Upgrade org.apache.polaris:polaris-core to version 1.4.1 or higher.

[,1.4.1)

Expression Language Injection

Affected versions of this package are vulnerable to Expression Language Injection via unescaped content in the construction of Credential Access Boundary (CAB) CEL conditions. An attacker can gain unauthorized access to files and objects across the entire configured Google Cloud Storage bucket by supplying a crafted namespace or table identifier containing special characters that break out of the intended path restriction.

How to fix Expression Language Injection?

Upgrade org.apache.polaris:polaris-core to version 1.4.1 or higher.

[,1.4.1)

org.apache.polaris:polaris-core@1.2.0-incubating

latest version

latest non vulnerable version

first published

latest version published

licenses detected

package registry

Direct Vulnerabilities

Fix vulnerabilities automatically