kafka-connect-hdfs
kafka-connect-hdfs copied to clipboard
confluentinc
fix(deps): update dependency org.apache.calcite:calcite-core to v1.32.0 [security] (master)
For any questions/concerns about this PR, please review the Renovate Bot wiki/FAQs, or the #renovatebot Slack channel.
This PR contains the following updates:
| Package | Change | Age | Adoption | Passing | Confidence |
|---|---|---|---|---|---|
| org.apache.calcite:calcite-core (source) | 1.22.0 -> 1.32.0 |
GitHub Vulnerability Alerts
CVE-2020-13955
"HttpUtils#getURLConnection method disables explicitly hostname verification for HTTPS connections making clients vulnerable to man-in-the-middle attacks. Calcite uses this method internally to connect with Druid and Splunk so information leakage may happen when using the respective Calcite adapters. The method itself is in a utility class so people may use it to create vulnerable HTTPS connections for other applications. From Apache Calcite 1.26 onwards, the hostname verification will be performed using the default JVM truststore."
CVE-2022-39135
In Apache Calcite prior to version 1.32.0 the SQL operators EXISTS_NODE, EXTRACT_XML, XML_TRANSFORM and EXTRACT_VALUE do not restrict XML External Entity references in their configuration, which makes them vulnerable to a potential XML External Entity (XXE) attack. Therefore any client exposing these operators, typically by using Oracle dialect (the first three) or MySQL dialect (the last one), is affected by this vulnerability (the extent of it will depend on the user under which the application is running). From Apache Calcite 1.32.0 onwards, Document Type Declarations and XML External Entity resolution are disabled on the impacted operators.
Missing Authentication for Critical Function in Apache Calcite
CVE-2020-13955 / GHSA-hxp5-8pgq-mgv9
More information
Details
"HttpUtils#getURLConnection method disables explicitly hostname verification for HTTPS connections making clients vulnerable to man-in-the-middle attacks. Calcite uses this method internally to connect with Druid and Splunk so information leakage may happen when using the respective Calcite adapters. The method itself is in a utility class so people may use it to create vulnerable HTTPS connections for other applications. From Apache Calcite 1.26 onwards, the hostname verification will be performed using the default JVM truststore."
Severity
- CVSS Score: 5.9 / 10 (Medium)
- Vector String:
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
References
- https://nvd.nist.gov/vuln/detail/CVE-2020-13955
- https://github.com/apache/calcite/commit/43eeafcbac29d02c72bd520c003cdfc571de2d15
- https://issues.apache.org/jira/browse/CALCITE-4298
- https://lists.apache.org/thread.html/r0b0fbe2038388175951ce1028182d980f9e9a7328be13d52dab70bb3%40%3Cdev.calcite.apache.org%3E
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
Apache Calcite before 1.32.0 vulnerable to potential XML External Entity (XXE) attack
CVE-2022-39135 / GHSA-fj2m-w3wv-x9pr
More information
Details
In Apache Calcite prior to version 1.32.0 the SQL operators EXISTS_NODE, EXTRACT_XML, XML_TRANSFORM and EXTRACT_VALUE do not restrict XML External Entity references in their configuration, which makes them vulnerable to a potential XML External Entity (XXE) attack. Therefore any client exposing these operators, typically by using Oracle dialect (the first three) or MySQL dialect (the last one), is affected by this vulnerability (the extent of it will depend on the user under which the application is running). From Apache Calcite 1.32.0 onwards, Document Type Declarations and XML External Entity resolution are disabled on the impacted operators.
Severity
- CVSS Score: 9.8 / 10 (Critical)
- Vector String:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
References
- https://nvd.nist.gov/vuln/detail/CVE-2022-39135
- https://lists.apache.org/thread/ohdnhlgm6jvt3srw8l7spkm2d5vwm082
- http://www.openwall.com/lists/oss-security/2022/11/21/3
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
- [ ] If you want to rebase/retry this PR, check this box
This PR has been generated by Renovate Bot.
![renovatebot-confluentinc[bot] avatar](https://avatars.githubusercontent.com/u/9439498?v=4 "Published by a pub.dev verified publisher"){kind=small}
Analysis Details
0 Issues
0 Bugs
0 Vulnerabilities
0 Code Smells
Coverage and Duplications
No coverage information (0.00% Estimated after merge)
No duplication information (0.70% Estimated after merge)
Project ID: kafka-connect-hdfs