Security Flaw in Apache Calcite Affects Druid and Splunk Connectivity
CVE-2020-13955

5.9MEDIUM

Key Information:

Vendor: Apache
Status: Apache Calcite
Vendor: CVE Published:; 9 October 2020

Summary

A vulnerability exists in the HttpUtils#getURLConnection method of Apache Calcite, which disables hostname verification for HTTPS connections. This flaw exposes clients to man-in-the-middle attacks, compromising data security during interactions with Druid and Splunk through their relevant Calcite adapters. As a result, sensitive information may be leaked. From version 1.26 onward, Apache Calcite addresses this issue by enabling hostname verification using the default JVM truststore, thus enhancing connection security.

Affected Version(s)

Apache Calcite Apache Calcite 0.8 to 1.25

References

https://lists.apache.org/thread.html/r0b0fbe2038388175951...

x_refsource_MISC

CVSS V3.1

Score:

5.9

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Oct 9, 2020
Vulnerability Reserved
Jun 8, 2020