Avatica JDBC Driver <1.22.0: Code Exec via Unchecked httpclient_impl Class
CVE-2022-36364 Published on July 28, 2022
Apache Calcite Avatica JDBC driver `httpclient_impl` connection property can be used as an RCE vector
Apache Calcite Avatica JDBC driver creates HTTP client instances based on class names provided via `httpclient_impl` connection property; however, the driver does not verify if the class implements the expected interface before instantiating it, which can lead to code execution loaded via arbitrary classes and in rare cases remote code execution. To exploit the vulnerability: 1) the attacker needs to have privileges to control JDBC connection parameters; 2) and there should be a vulnerable class (constructor with URL parameter and ability to execute code) in the classpath. From Apache Calcite Avatica 1.22.0 onwards, it will be verified that the class implements the expected interface before invoking its constructor.
Weakness Type
Improper Initialization
The software does not initialize or incorrectly initializes a resource, which might leave the resource in an unexpected state when it is accessed or used. This can have security implications when the associated resource is expected to have certain properties or values, such as a variable that determines whether a user has been authenticated or not.
Products Associated with CVE-2022-36364
Want to know whenever a new CVE is published for Apache Calcite Avatica? stack.watch will email you.
Affected Versions
Apache Software Foundation Apache Calcite Avatica:- Version Apache Calcite Avatica and below 1.22.0 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.