Apache Calcite 1.22.0 introduced the SQL operators EXISTS_NODE, EXTRACT_XML, XML_TRANSFORM and EXTRACT_VALUE do not restrict XML External Entity references in their configuration, making them vulnerable to a potential XML External Entity (XXE) attack. Therefore any client exposing these operators, typically by using Oracle dialect (the first three) or MySQL dialect (the last one), is affected by this vulnerability (the extent of it will depend on the user under which the application is running). From Apache Calcite 1.32.0 onwards, Document Type Declarations and XML External Entity resolution are disabled on the impacted operators.
References
Link | Resource |
---|---|
http://www.openwall.com/lists/oss-security/2022/11/21/3 | Mailing List Mitigation Third Party Advisory |
https://lists.apache.org/thread/ohdnhlgm6jvt3srw8l7spkm2d5vwm082 | Mailing List Vendor Advisory |
http://www.openwall.com/lists/oss-security/2022/11/21/3 | Mailing List Mitigation Third Party Advisory |
https://lists.apache.org/thread/ohdnhlgm6jvt3srw8l7spkm2d5vwm082 | Mailing List Vendor Advisory |
Configurations
History
21 Nov 2024, 07:17
Type | Values Removed | Values Added |
---|---|---|
References | () http://www.openwall.com/lists/oss-security/2022/11/21/3 - Mailing List, Mitigation, Third Party Advisory | |
References | () https://lists.apache.org/thread/ohdnhlgm6jvt3srw8l7spkm2d5vwm082 - Mailing List, Vendor Advisory |
20 Sep 2023, 18:15
Type | Values Removed | Values Added |
---|---|---|
Summary | Apache Calcite 1.22.0 introduced the SQL operators EXISTS_NODE, EXTRACT_XML, XML_TRANSFORM and EXTRACT_VALUE do not restrict XML External Entity references in their configuration, making them vulnerable to a potential XML External Entity (XXE) attack. Therefore any client exposing these operators, typically by using Oracle dialect (the first three) or MySQL dialect (the last one), is affected by this vulnerability (the extent of it will depend on the user under which the application is running). From Apache Calcite 1.32.0 onwards, Document Type Declarations and XML External Entity resolution are disabled on the impacted operators. |
Information
Published : 2022-09-11 12:15
Updated : 2024-11-21 07:17
NVD link : CVE-2022-39135
Mitre link : CVE-2022-39135
CVE.ORG link : CVE-2022-39135
JSON object : View
Products Affected
apache
- calcite
CWE
CWE-611
Improper Restriction of XML External Entity Reference