Man-in-the-Middle (MitM) Affecting org.apache.calcite:calcite-core package, versions [, 1.26)


0.0
high
  • Attack Complexity

    Low

  • User Interaction

    Required

  • Confidentiality

    High

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • snyk-id

    SNYK-JAVA-ORGAPACHECALCITE-1038296

  • published

    9 Oct 2020

  • disclosed

    9 Oct 2020

  • credit

    Unknown

How to fix?

Upgrade org.apache.calcite:calcite-core to version 1.26 or higher.

Overview

org.apache.calcite:calcite-core is a Core Calcite APIs and engine.

Affected versions of this package are vulnerable to Man-in-the-Middle (MitM). The HttpUtils#getURLConnection method disables explicitly hostname verification for HTTPS connections making clients vulnerable to man-in-the-middle attacks. Calcite uses this method internally to connect with Druid and Splunk so information leakage may happen when using the respective Calcite adapters.

The method itself is in a utility class so people may use it to create vulnerable HTTPS connections for other applications.