[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: [oss-security] CVE-2022-36364: Apache Calcite Avatica JDBC driver `httpclient_impl` connection prope
From: Ruben Q L <rubenql () apache ! org>
Date: 2022-07-28 7:38:24
Message-ID: 9f4f4eb2-79d4-0351-0d36-05443710c549 () apache ! org
[Download RAW message or body]
Severity: moderate
Description:
Apache Calcite Avatica JDBC driver creates HTTP client instances based on =
class names provided via `httpclient_impl` connection property; however, =
the driver does not verify if the class implements the expected interface =
before instantiating it, which can lead to code execution loaded via =
arbitrary classes and in rare cases remote code execution.
To exploit the vulnerability:
1) the attacker needs to have privileges to control JDBC connection =
parameters;
2) and there should be a vulnerable class (constructor with URL parameter =
and ability to execute code) in the classpath.
From Apache Calcite Avatica 1.22.0 onwards, it will be verified that the =
class implements the expected interface before invoking its constructor.
Credit:
Apache Calcite Avatica would like to thank Peter M (https://twitter.=
com/h1pmnh) for reporting this issue
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic