Vulnerabilities > CVE-2022-39135 - XXE vulnerability in Apache Calcite

CVSS 9.8 - CRITICAL

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

HIGH

Integrity impact

HIGH

Availability impact

HIGH

network

low complexity

apache

CWE-611

critical

NVD

Published: 2022-09-11

Updated: 2023-11-06

Summary

Apache Calcite 1.22.0 introduced the SQL operators EXISTS_NODE, EXTRACT_XML, XML_TRANSFORM and EXTRACT_VALUE do not restrict XML External Entity references in their configuration, making them vulnerable to a potential XML External Entity (XXE) attack. Therefore any client exposing these operators, typically by using Oracle dialect (the first three) or MySQL dialect (the last one), is affected by this vulnerability (the extent of it will depend on the user under which the application is running). From Apache Calcite 1.32.0 onwards, Document Type Declarations and XML External Entity resolution are disabled on the impacted operators.

Vulnerable Configurations

Part	Description	Count
Application	Apache Apache Calcite 1.22.0 Apache Calcite 1.23.0 Apache Calcite 1.24.0 Apache Calcite 1.25.0 Apache Calcite 1.26 Apache Calcite 1.26.0	11

Common Weakness Enumeration (CWE)

CWE-611 - Improper Restriction of XML External Entity Reference ('XXE')

Summary

Vulnerable Configurations

Common Weakness Enumeration (CWE)

References