2126543 – (CVE-2022-39135) CVE-2022-39135 calcite: XXE via SQL operators

Bug 2126543 (CVE-2022-39135) - CVE-2022-39135 calcite: XXE via SQL operators

Summary: CVE-2022-39135 calcite: XXE via SQL operators

Keywords:
Status:	NEW
Alias:	CVE-2022-39135
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Nobody
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	2126407
TreeView+	depends on / blocked

Reported:	2022-09-13 19:15 UTC by Chess Hazlett
Modified:	2024-02-01 03:42 UTC (History)
CC List:	9 users (show)
Fixed In Version:	calcite 1.32.0
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description Chess Hazlett 2022-09-13 19:15:49 UTC

In Apache Calcite prior to version 1.32.0 the SQL operators EXISTS_NODE, EXTRACT_XML, XML_TRANSFORM and EXTRACT_VALUE do not restrict XML External Entity references in their configuration, which makes them vulnerable to a potential XML External Entity (XXE) attack. Therefore any client exposing these operators, typically by using Oracle dialect (the first three) or MySQL dialect (the last one), is affected by this vulnerability (the extent of it will depend on the user under which the application is running). From Apache Calcite 1.32.0 onwards, Document Type Declarations and XML External Entity resolution are disabled on the impacted operators.

Note You need to log in before you can comment on or make changes to this bug.