org.apache.polaris:polaris-runtime-service 1.3.0-incubating

Direct Vulnerabilities

Known vulnerabilities in the org.apache.polaris:polaris-runtime-service package. This does not include vulnerabilities belonging to this package’s dependencies.

Fix vulnerabilities automatically

Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

Fix for free

Vulnerability	Vulnerable Version
H Missing Authorization org.apache.polaris:polaris-runtime-service is an a catalog for data lakes. It provides new levels of choice, flexibility and control over data, with full enterprise security and Apache Iceberg interoperability across a multitude of engines and infrastructure Affected versions of this package are vulnerable to Missing Authorization via staged table creation. An attacker can obtain broad temporary storage credentials for an arbitrary location by supplying a custom `location` or manipulating `write.data.path` or `write.metadata.path` in the request before proper validation occurs. How to fix Missing Authorization? Upgrade `org.apache.polaris:polaris-runtime-service` to version 1.4.1 or higher.	[,1.4.1)
H Incorrect Authorization org.apache.polaris:polaris-runtime-service is an a catalog for data lakes. It provides new levels of choice, flexibility and control over data, with full enterprise security and Apache Iceberg interoperability across a multitude of engines and infrastructure Affected versions of this package are vulnerable to Incorrect Authorization through the optional `write.metadata.path` property. An attacker can cause unauthorized metadata to be written to an attacker-controlled storage location by altering table settings, leading to exposure, modification, or deletion of data and metadata. Note: This is only exploitable if `polaris.config.allow.unstructured.table.location=true` and the `allowedLocations` configuration includes the attacker-chosen target. How to fix Incorrect Authorization? Upgrade `org.apache.polaris:polaris-runtime-service` to version 1.4.1 or higher.	[,1.4.1)

Vulnerability

Vulnerable Version

Missing Authorization

org.apache.polaris:polaris-runtime-service is an a catalog for data lakes. It provides new levels of choice, flexibility and control over data, with full enterprise security and Apache Iceberg interoperability across a multitude of engines and infrastructure

Affected versions of this package are vulnerable to Missing Authorization via staged table creation. An attacker can obtain broad temporary storage credentials for an arbitrary location by supplying a custom location or manipulating write.data.path or write.metadata.path in the request before proper validation occurs.

How to fix Missing Authorization?

Upgrade org.apache.polaris:polaris-runtime-service to version 1.4.1 or higher.

[,1.4.1)

Incorrect Authorization

Affected versions of this package are vulnerable to Incorrect Authorization through the optional write.metadata.path property. An attacker can cause unauthorized metadata to be written to an attacker-controlled storage location by altering table settings, leading to exposure, modification, or deletion of data and metadata.

Note: This is only exploitable if polaris.config.allow.unstructured.table.location=true and the allowedLocations configuration includes the attacker-chosen target.

How to fix Incorrect Authorization?

Upgrade org.apache.polaris:polaris-runtime-service to version 1.4.1 or higher.

[,1.4.1)

org.apache.polaris:polaris-runtime-service@1.3.0-incubating

latest version

latest non vulnerable version

first published

latest version published

licenses detected

package registry

Direct Vulnerabilities

Fix vulnerabilities automatically