GHSA-hxp5-8pgq-mgv9

Source

https://github.com/advisories/GHSA-hxp5-8pgq-mgv9

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/04/GHSA-hxp5-8pgq-mgv9/GHSA-hxp5-8pgq-mgv9.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-hxp5-8pgq-mgv9

Aliases

CVE-2020-13955

Published

2021-04-22T16:14:14Z

Modified

2023-11-08T04:02:24.261790Z

Severity

5.9 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator

Summary

Missing Authentication for Critical Function in Apache Calcite

Details

"HttpUtils#getURLConnection method disables explicitly hostname verification for HTTPS connections making clients vulnerable to man-in-the-middle attacks. Calcite uses this method internally to connect with Druid and Splunk so information leakage may happen when using the respective Calcite adapters. The method itself is in a utility class so people may use it to create vulnerable HTTPS connections for other applications. From Apache Calcite 1.26 onwards, the hostname verification will be performed using the default JVM truststore."

Database specific

{
    "nvd_published_at": "2020-10-09T13:15:00Z",
    "github_reviewed_at": "2021-04-21T20:27:19Z",
    "severity": "MODERATE",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-295"
    ]
}

References

Affected packages

Maven / org.apache.calcite:calcite-core

Package

Name: org.apache.calcite:calcite-core; View open source insights on deps.dev
Purl: pkg:maven/org.apache.calcite/calcite-core

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.26.0

Affected versions

0.*

0.9.1-incubating

0.9.2-incubating

1.*

1.0.0-incubating

1.1.0-incubating

1.2.0-incubating

1.3.0-incubating

1.4.0-incubating

1.5.0

1.6.0

1.7.0

1.8.0

1.9.0

1.10.0

1.11.0

1.12.0

1.13.0

1.14.0

1.15.0

1.16.0

1.17.0

1.18.0

1.19.0

1.20.0

1.21.0

1.22.0

1.23.0

1.24.0

1.25.0

Maven / org.apache.calcite:calcite-druid

Package

Name: org.apache.calcite:calcite-druid; View open source insights on deps.dev
Purl: pkg:maven/org.apache.calcite/calcite-druid

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.26.0

Affected versions

1.*

1.8.0

1.9.0

1.10.0

1.11.0

1.12.0

1.13.0

1.14.0

1.15.0

1.16.0

1.17.0

1.18.0

1.19.0

1.20.0

1.21.0

1.22.0

1.23.0

1.24.0

1.25.0

Maven / org.apache.calcite:calcite-splunk

Package

Name: org.apache.calcite:calcite-splunk; View open source insights on deps.dev
Purl: pkg:maven/org.apache.calcite/calcite-splunk

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.26.0

Affected versions

0.*

0.9.1-incubating

0.9.2-incubating

1.*

1.0.0-incubating

1.1.0-incubating

1.2.0-incubating

1.3.0-incubating

1.4.0-incubating

1.5.0

1.6.0

1.7.0

1.8.0

1.9.0

1.10.0

1.11.0

1.12.0

1.13.0

1.14.0

1.15.0

1.16.0

1.17.0

1.18.0

1.19.0

1.20.0

1.21.0

1.22.0

1.23.0

1.24.0

1.25.0