Apache Calcite XXE in XML Ops (EXISTS_NODE, EXTRACT_XML) fixed v1.32.0
CVE-2022-39135 Published on September 11, 2022
Apache Calcite: potential XEE attacks
Apache Calcite 1.22.0 introduced the SQL operators EXISTS_NODE, EXTRACT_XML, XML_TRANSFORM and EXTRACT_VALUE do not restrict XML External Entity references in their configuration, making them vulnerable to a potential XML External Entity (XXE) attack. Therefore any client exposing these operators, typically by using Oracle dialect (the first three) or MySQL dialect (the last one), is affected by this vulnerability (the extent of it will depend on the user under which the application is running). From Apache Calcite 1.32.0 onwards, Document Type Declarations and XML External Entity resolution are disabled on the impacted operators.
Weakness Type
What is a XXE Vulnerability?
The software processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.
CVE-2022-39135 has been classified to as a XXE vulnerability or weakness.
Products Associated with CVE-2022-39135
Want to know whenever a new CVE is published for Apache Calcite? stack.watch will email you.
Affected Versions
Apache Software Foundation Apache Calcite:- Version 1.22.0 and below 1.32.0 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.