Lucene search

ApacheCVE-2020-13955

HistoryOct 09, 2020 - 1:15 p.m.

CVE-2020-13955

2020-10-0913:15:11

CWE-295

apache

web.nvd.nist.gov

cve-2020-13955

httputils

geturlconnection

hostname verification

https

man-in-the-middle

calcite

druid

splunk

information leakage

utility class

jvm truststore

CVSS2

4.3

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:M/Au:N/C:P/I:N/A:N

CVSS3

5.9

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

AI Score

5.3

Confidence

High

EPSS

0.001

Percentile

23.9%

JSON

HttpUtils#getURLConnection method disables explicitly hostname verification for HTTPS connections making clients vulnerable to man-in-the-middle attacks. Calcite uses internally this method to connect with Druid and Splunk so information leakage may happen when using the respective Calcite adapters. The method itself is in a utility class so people may use it to create vulnerable HTTPS connections for other applications. From Apache Calcite 1.26 onwards, the hostname verification will be performed using the default JVM truststore.

Affected configurations

Nvd

Vulners

Node

apachecalciteRange<1.26

VendorProductVersionCPE
apachecalcite*cpe:2.3:a:apache:calcite:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
apache	calcite	*	cpe:2.3:a:apache:calcite::::::::

CNA Affected

[
  {
    "product": "Apache Calcite",
    "vendor": "n/a",
    "versions": [
      {
        "status": "affected",
        "version": "Apache Calcite 0.8 to 1.25"
      }
    ]
  }
]