calcite-core-1.26.0.jar: 23 vulnerabilities (highest severity is: 9.8) reachable

[dev-mend-for-github-com]

Vulnerable Library - calcite-core-1.26.0.jar

Path to dependency file: /calcite-tutorial-3-schema/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/log4j/log4j/1.2.17/log4j-1.2.17.jar

Vulnerabilities

CVE	Severity	CVSS	Dependency	Type	Fixed in (calcite-core version)	Remediation Possible**	Reachability
CVE-2022-42004	High	7.5	jackson-databind-2.10.0.jar	Transitive	1.33.0	✅	Reachable
CVE-2022-42003	High	7.5	jackson-databind-2.10.0.jar	Transitive	1.33.0	✅	Reachable
CVE-2022-3509	High	7.5	protobuf-java-3.6.1.jar	Transitive	1.28.0	✅	Reachable
CVE-2021-46877	High	7.5	jackson-databind-2.10.0.jar	Transitive	1.33.0	✅	Reachable
CVE-2021-22569	High	7.5	protobuf-java-3.6.1.jar	Transitive	1.28.0	✅	Reachable
CVE-2020-36518	High	7.5	jackson-databind-2.10.0.jar	Transitive	1.33.0	✅	Reachable
WS-2019-0379	Medium	6.5	commons-codec-1.12.jar	Transitive	1.27.0	✅	Reachable
CVE-2021-27568	Medium	5.9	json-smart-2.3.jar	Transitive	1.30.0	✅	Reachable
CVE-2022-3171	Medium	4.3	protobuf-java-3.6.1.jar	Transitive	1.28.0	✅	Reachable
WS-2020-0287	Low	3.0	commons-dbcp2-2.6.0.jar	Transitive	1.36.0	✅	Reachable
CVE-2020-9493	Critical	9.8	log4j-1.2.17.jar	Transitive	N/A*	❌	Unreachable
CVE-2019-17571	Critical	9.8	log4j-1.2.17.jar	Transitive	N/A*	❌	Unreachable
CVE-2022-23305	Critical	9.6	log4j-1.2.17.jar	Transitive	N/A*	❌	Unreachable
CVE-2022-23307	High	8.8	log4j-1.2.17.jar	Transitive	N/A*	❌	Unreachable
CVE-2022-23302	High	8.8	log4j-1.2.17.jar	Transitive	N/A*	❌	Unreachable
CVE-2022-1471	High	8.3	snakeyaml-1.24.jar	Transitive	1.35.0	✅	Unreachable
CVE-2023-26464	High	7.5	log4j-1.2.17.jar	Transitive	N/A*	❌	Unreachable
CVE-2022-25857	High	7.5	snakeyaml-1.24.jar	Transitive	1.33.0	✅	Unreachable
CVE-2021-29425	Medium	4.7	commons-io-2.4.jar	Transitive	1.30.0	✅	Unreachable
CVE-2020-9488	Low	3.7	log4j-1.2.17.jar	Transitive	N/A*	❌	Unreachable
CVE-2017-18640	High	7.5	snakeyaml-1.24.jar	Transitive	1.31.0	✅
CVE-2018-10237	Medium	5.9	guava-23.0.jar	Transitive	N/A*	❌
CVE-2020-13956	Medium	5.3	detected in multiple dependencies	Transitive	1.31.0	✅

*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

Partial details (21 vulnerabilities) are displayed below due to a content size limitation in GitHub. To view information on the remaining vulnerabilities, navigate to the Mend Application.

CVE-2022-42004

Vulnerable Library - jackson-databind-2.10.0.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /calcite-tutorial-9-rule/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.10.0/jackson-databind-2.10.0.jar

Dependency Hierarchy:

• calcite-core-1.26.0.jar (Root Library)
  • calcite-linq4j-1.26.0.jar
    • avatica-core-1.17.0.jar
      • ❌ jackson-databind-2.10.0.jar (Vulnerable Library)

Found in base branch: master

Reachability Analysis

This vulnerability is potentially reachable

com.github.quxiucheng.calcite.schema.tutorial.ModelHandlerTest (Application)
  -> com.fasterxml.jackson.dataformat.yaml.YAMLMapper (Extension)
   -> com.fasterxml.jackson.dataformat.yaml.YAMLMapper$Builder (Extension)
    -> com.fasterxml.jackson.databind.cfg.MapperBuilder (Extension)
    ...
      -> com.fasterxml.jackson.databind.type.ResolvedRecursiveType (Extension)
       -> com.fasterxml.jackson.databind.SerializerProvider (Extension)
        -> ❌ com.fasterxml.jackson.databind.ser.impl.FailingSerializer (Vulnerable Component)

Vulnerability Details

In FasterXML jackson-databind before 2.13.4, resource exhaustion can occur because of a lack of a check in BeanDeserializer._deserializeFromArray to prevent use of deeply nested arrays. An application is vulnerable only with certain customized choices for deserialization.

Publish Date: 2022-10-02

URL: CVE-2022-42004

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2022-10-02

Fix Resolution (com.fasterxml.jackson.core:jackson-databind): 2.12.7.1

Direct dependency fix Resolution (org.apache.calcite:calcite-core): 1.33.0

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2022-42003

Vulnerable Library - jackson-databind-2.10.0.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /calcite-tutorial-9-rule/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.10.0/jackson-databind-2.10.0.jar

Dependency Hierarchy:

• calcite-core-1.26.0.jar (Root Library)
  • calcite-linq4j-1.26.0.jar
    • avatica-core-1.17.0.jar
      • ❌ jackson-databind-2.10.0.jar (Vulnerable Library)

Found in base branch: master

Reachability Analysis

This vulnerability is potentially reachable

com.github.quxiucheng.calcite.schema.tutorial.ModelHandlerTest (Application)
  -> org.apache.calcite.model.JsonRoot (Extension)
   -> org.apache.calcite.model.JsonSchema (Extension)
    -> org.apache.logging.log4j.core.config.LoggerConfig (Extension)
    ...
      -> org.apache.logging.log4j.core.jackson.LogEventWithContextListMixIn (Extension)
       -> org.apache.logging.log4j.core.jackson.ContextDataAsEntryListDeserializer (Extension)
        -> ❌ com.fasterxml.jackson.databind.deser.std.StdDeserializer (Vulnerable Component)

Vulnerability Details

In FasterXML jackson-databind before versions 2.13.4.1 and 2.12.17.1, resource exhaustion can occur because of a lack of a check in primitive value deserializers to avoid deep wrapper array nesting, when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled.

Publish Date: 2022-10-02

URL: CVE-2022-42003

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2022-10-02

Fix Resolution (com.fasterxml.jackson.core:jackson-databind): 2.12.7.1

Direct dependency fix Resolution (org.apache.calcite:calcite-core): 1.33.0

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2022-3509

Vulnerable Library - protobuf-java-3.6.1.jar

Core Protocol Buffers library. Protocol Buffers are a way of encoding structured data in an efficient yet extensible format.

Library home page: https://developers.google.com/protocol-buffers/

Path to dependency file: /calcite-tutorial-2-parser/parser-3-calcite-tutorial/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/com/google/protobuf/protobuf-java/3.6.1/protobuf-java-3.6.1.jar

Dependency Hierarchy:

• calcite-core-1.26.0.jar (Root Library)
  • calcite-linq4j-1.26.0.jar
    • avatica-core-1.17.0.jar
      • ❌ protobuf-java-3.6.1.jar (Vulnerable Library)

Found in base branch: master

Reachability Analysis

This vulnerability is potentially reachable

com.github.quxiucheng.calcite.validator.tutorial.IdentifierExpansionSample (Application)
  -> org.apache.calcite.server.CalciteServerStatement (Extension)
   -> org.apache.calcite.avatica.Meta$Signature (Extension)
    -> org.apache.calcite.avatica.proto.Common (Extension)
     -> ❌ com.google.protobuf.ExtensionRegistry (Vulnerable Component)

Vulnerability Details

A parsing issue similar to CVE-2022-3171, but with textformat in protobuf-java core and lite versions prior to 3.21.7, 3.20.3, 3.19.6 and 3.16.3 can lead to a denial of service attack. Inputs containing multiple instances of non-repeated embedded messages with repeated or unknown fields causes objects to be converted back-n-forth between mutable and immutable forms, resulting in potentially long garbage collection pauses. We recommend updating to the versions mentioned above.

Publish Date: 2022-11-01

URL: CVE-2022-3509

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3509

Release Date: 2022-12-12

Fix Resolution (com.google.protobuf:protobuf-java): 3.16.3

Direct dependency fix Resolution (org.apache.calcite:calcite-core): 1.28.0

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2021-46877

Vulnerable Library - jackson-databind-2.10.0.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /calcite-tutorial-9-rule/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.10.0/jackson-databind-2.10.0.jar

Dependency Hierarchy:

• calcite-core-1.26.0.jar (Root Library)
  • calcite-linq4j-1.26.0.jar
    • avatica-core-1.17.0.jar
      • ❌ jackson-databind-2.10.0.jar (Vulnerable Library)

Found in base branch: master

Reachability Analysis

This vulnerability is potentially reachable

com.github.quxiucheng.calcite.schema.tutorial.ModelHandlerTest (Application)
  -> com.fasterxml.jackson.databind.ObjectMapper (Extension)
   -> com.fasterxml.jackson.databind.node.ArrayNode (Extension)
    -> com.fasterxml.jackson.databind.node.BaseJsonNode (Extension)
     -> ❌ com.fasterxml.jackson.databind.node.NodeSerialization (Vulnerable Component)

Vulnerability Details

jackson-databind 2.10.x through 2.12.x before 2.12.6 and 2.13.x before 2.13.1 allows attackers to cause a denial of service (2 GB transient heap usage per read) in uncommon situations involving JsonNode JDK serialization.

Publish Date: 2023-03-18

URL: CVE-2021-46877

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2021-46877

Release Date: 2023-03-18

Fix Resolution (com.fasterxml.jackson.core:jackson-databind): 2.12.6

Direct dependency fix Resolution (org.apache.calcite:calcite-core): 1.33.0

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2021-22569

Vulnerable Library - protobuf-java-3.6.1.jar

Core Protocol Buffers library. Protocol Buffers are a way of encoding structured data in an efficient yet extensible format.

Library home page: https://developers.google.com/protocol-buffers/

Path to dependency file: /calcite-tutorial-2-parser/parser-3-calcite-tutorial/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/com/google/protobuf/protobuf-java/3.6.1/protobuf-java-3.6.1.jar

Dependency Hierarchy:

• calcite-core-1.26.0.jar (Root Library)
  • calcite-linq4j-1.26.0.jar
    • avatica-core-1.17.0.jar
      • ❌ protobuf-java-3.6.1.jar (Vulnerable Library)

Found in base branch: master

Reachability Analysis

This vulnerability is potentially reachable

com.github.quxiucheng.calcite.validator.tutorial.IdentifierExpansionSample (Application)
  -> org.apache.calcite.jdbc.CalcitePrepare (Extension)
   -> org.apache.calcite.jdbc.CalcitePrepare$CalciteSignature (Extension)
    -> org.apache.calcite.avatica.Meta$Signature (Extension)
    ...
      -> com.google.protobuf.Descriptors$DescriptorValidationException (Extension)
       -> com.google.protobuf.DescriptorProtos$FileDescriptorProto (Extension)
        -> ❌ com.google.protobuf.UnknownFieldSet (Vulnerable Component)

Vulnerability Details

An issue in protobuf-java allowed the interleaving of com.google.protobuf.UnknownFieldSet fields in such a way that would be processed out of order. A small malicious payload can occupy the parser for several minutes by creating large numbers of short-lived objects that cause frequent, repeated pauses. We recommend upgrading libraries beyond the vulnerable versions.

Publish Date: 2022-01-07

URL: CVE-2021-22569

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-wrvw-hg22-4m67

Release Date: 2022-01-10

Fix Resolution (com.google.protobuf:protobuf-java): 3.16.1

Direct dependency fix Resolution (org.apache.calcite:calcite-core): 1.28.0

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2020-36518

Vulnerable Library - jackson-databind-2.10.0.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /calcite-tutorial-9-rule/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.10.0/jackson-databind-2.10.0.jar

Dependency Hierarchy:

• calcite-core-1.26.0.jar (Root Library)
  • calcite-linq4j-1.26.0.jar
    • avatica-core-1.17.0.jar
      • ❌ jackson-databind-2.10.0.jar (Vulnerable Library)

Found in base branch: master

Reachability Analysis

This vulnerability is potentially reachable

com.github.quxiucheng.calcite.schema.tutorial.ModelHandlerTest (Application)
  -> com.fasterxml.jackson.databind.ObjectMapper (Extension)
   -> com.fasterxml.jackson.databind.deser.BeanDeserializerFactory (Extension)
    -> com.fasterxml.jackson.databind.deser.BasicDeserializerFactory (Extension)
     -> com.fasterxml.jackson.databind.deser.std.UntypedObjectDeserializer (Extension)
      -> ❌ com.fasterxml.jackson.databind.deser.std.UntypedObjectDeserializer$Vanilla (Vulnerable Component)

Vulnerability Details

jackson-databind before 2.13.0 allows a Java StackOverflow exception and denial of service via a large depth of nested objects.
Mend Note: After conducting further research, Mend has determined that all versions of com.fasterxml.jackson.core:jackson-databind up to version 2.13.2 are vulnerable to CVE-2020-36518.

Publish Date: 2022-03-11

URL: CVE-2020-36518

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2022-03-11

Fix Resolution (com.fasterxml.jackson.core:jackson-databind): 2.12.6.1

Direct dependency fix Resolution (org.apache.calcite:calcite-core): 1.33.0

⛑️ Automatic Remediation will be attempted for this issue.

WS-2019-0379

Vulnerable Library - commons-codec-1.12.jar

The Apache Commons Codec package contains simple encoder and decoders for various formats such as Base64 and Hexadecimal. In addition to these widely used encoders and decoders, the codec package also maintains a collection of phonetic encoding utilities.

Library home page: http://commons.apache.org/proper/commons-codec/

Path to dependency file: /calcite-tutorial-3-schema/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/commons-codec/commons-codec/1.12/commons-codec-1.12.jar

Dependency Hierarchy:

• calcite-core-1.26.0.jar (Root Library)
  • calcite-linq4j-1.26.0.jar
    • avatica-core-1.17.0.jar
      • httpclient-4.5.9.jar
        • ❌ commons-codec-1.12.jar (Vulnerable Library)

Found in base branch: master

Reachability Analysis

This vulnerability is potentially reachable

com.github.quxiucheng.calcite.validator.tutorial.IdentifierExpansionSample (Application)
  -> org.apache.calcite.jdbc.CalcitePrepare (Extension)
   -> org.apache.calcite.jdbc.CalcitePrepare$ConvertResult (Extension)
    -> org.apache.calcite.avatica.remote.AvaticaHttpClientFactoryImpl (Extension)
    ...
      -> org.apache.http.impl.auth.SPNegoSchemeFactory (Extension)
       -> org.apache.http.impl.auth.SPNegoScheme (Extension)
        -> ❌ org.apache.commons.codec.binary.Base64 (Vulnerable Component)

Vulnerability Details

Apache commons-codec before version “commons-codec-1.13-RC1” is vulnerable to information disclosure due to Improper Input validation.

Publish Date: 2019-05-20

URL: WS-2019-0379

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2019-05-20

Fix Resolution (commons-codec:commons-codec): 1.13

Direct dependency fix Resolution (org.apache.calcite:calcite-core): 1.27.0

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2021-27568

Vulnerable Library - json-smart-2.3.jar

JSON (JavaScript Object Notation) is a lightweight data-interchange format. It is easy for humans to read and write. It is easy for machines to parse and generate. It is based on a subset of the JavaScript Programming Language, Standard ECMA-262 3rd Edition - December 1999. JSON is a text format that is completely language independent but uses conventions that are familiar to programmers of the C-family of languages, including C, C++, C#, Java, JavaScript, Perl, Python, and many others. These properties make JSON an ideal data-interchange language.

Library home page: http://www.minidev.net/

Path to dependency file: /calcite-tutorial-4-validator/validator-1-calcite-validator/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/net/minidev/json-smart/2.3/json-smart-2.3.jar

Dependency Hierarchy:

• calcite-core-1.26.0.jar (Root Library)
  • json-path-2.4.0.jar
    • ❌ json-smart-2.3.jar (Vulnerable Library)

Found in base branch: master

Reachability Analysis

This vulnerability is potentially reachable

com.github.quxiucheng.calcite.schema.tutorial.TutorialTableSchema (Application)
  -> org.apache.calcite.schema.impl.AbstractSchema (Extension)
   -> org.apache.calcite.schema.Function (Extension)
    -> com.jayway.jsonpath.internal.DefaultsImpl (Extension)
    ...
      -> net.minidev.json.parser.JSONParser (Extension)
       -> net.minidev.json.parser.JSONParserReader (Extension)
        -> ❌ net.minidev.json.parser.JSONParserBase (Vulnerable Component)

Vulnerability Details

An issue was discovered in netplex json-smart-v1 through 2015-10-23 and json-smart-v2 through 2.4. An exception is thrown from a function, but it is not caught, as demonstrated by NumberFormatException. When it is not caught, it may cause programs using the library to crash or expose sensitive information.

Publish Date: 2021-02-23

URL: CVE-2021-27568

CVSS 3 Score Details (5.9)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2021-02-23

Fix Resolution (net.minidev:json-smart): 2.3.1

Direct dependency fix Resolution (org.apache.calcite:calcite-core): 1.30.0

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2022-3171

Vulnerable Library - protobuf-java-3.6.1.jar

Core Protocol Buffers library. Protocol Buffers are a way of encoding structured data in an efficient yet extensible format.

Library home page: https://developers.google.com/protocol-buffers/

Path to dependency file: /calcite-tutorial-2-parser/parser-3-calcite-tutorial/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/com/google/protobuf/protobuf-java/3.6.1/protobuf-java-3.6.1.jar

Dependency Hierarchy:

• calcite-core-1.26.0.jar (Root Library)
  • calcite-linq4j-1.26.0.jar
    • avatica-core-1.17.0.jar
      • ❌ protobuf-java-3.6.1.jar (Vulnerable Library)

Found in base branch: master

Reachability Analysis

This vulnerability is potentially reachable

com.github.quxiucheng.calcite.validator.tutorial.IdentifierExpansionSample (Application)
  -> org.apache.calcite.jdbc.CalcitePrepare (Extension)
   -> org.apache.calcite.prepare.CalcitePrepareImpl (Extension)
    -> org.apache.calcite.avatica.remote.Service (Extension)
    ...
      -> com.google.protobuf.Descriptors$Descriptor (Extension)
       -> com.google.protobuf.DescriptorProtos$MessageOptions (Extension)
        -> ❌ com.google.protobuf.DescriptorProtos$MessageOptions$1 (Vulnerable Component)

Vulnerability Details

A parsing issue with binary data in protobuf-java core and lite versions prior to 3.21.7, 3.20.3, 3.19.6 and 3.16.3 can lead to a denial of service attack. Inputs containing multiple instances of non-repeated embedded messages with repeated or unknown fields causes objects to be converted back-n-forth between mutable and immutable forms, resulting in potentially long garbage collection pauses. We recommend updating to the versions mentioned above.

Publish Date: 2022-10-12

URL: CVE-2022-3171

CVSS 3 Score Details (4.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Adjacent
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-h4h5-3hr4-j3g2

Release Date: 2022-10-12

Fix Resolution (com.google.protobuf:protobuf-java): 3.16.3

Direct dependency fix Resolution (org.apache.calcite:calcite-core): 1.28.0

⛑️ Automatic Remediation will be attempted for this issue.

WS-2020-0287

Vulnerable Library - commons-dbcp2-2.6.0.jar

Apache Commons DBCP software implements Database Connection Pooling

Path to dependency file: /calcite-tutorial-4-validator/validator-1-calcite-validator/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/commons/commons-dbcp2/2.6.0/commons-dbcp2-2.6.0.jar

Dependency Hierarchy:

• calcite-core-1.26.0.jar (Root Library)
  • ❌ commons-dbcp2-2.6.0.jar (Vulnerable Library)

Found in base branch: master

Reachability Analysis

This vulnerability is potentially reachable

com.github.quxiucheng.tutorial.common.catalog.TutorialCalciteCatalogReader (Application)
  -> org.apache.calcite.jdbc.CalciteSchema (Extension)
   -> org.apache.calcite.jdbc.CalciteSchema$SchemaPlusImpl (Extension)
    -> org.apache.calcite.adapter.jdbc.JdbcSchema (Extension)
     -> org.apache.calcite.adapter.jdbc.JdbcUtils$DataSourcePool (Extension)
      -> org.apache.commons.dbcp2.BasicDataSource (Extension)
       -> ❌ org.apache.commons.dbcp2.BasicDataSourceMXBean (Vulnerable Component)

Vulnerability Details

Apache commons-dbcp through 2.8.0 exposes sensitive information via JMX. If a BasicDataSource is created with jmxName set, password property is exposed/exported via jmx and is visible for everybody who is connected to jmx port.

Publish Date: 2020-03-04

URL: WS-2020-0287

CVSS 3 Score Details (3.0)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Adjacent
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: None
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2020-03-04

Fix Resolution (org.apache.commons:commons-dbcp2): 2.9.0

Direct dependency fix Resolution (org.apache.calcite:calcite-core): 1.36.0

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2020-9493

Vulnerable Library - log4j-1.2.17.jar

Apache Log4j 1.2

Library home page: http://logging.apache.org/log4j/1.2/

Path to dependency file: /calcite-tutorial-3-schema/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/log4j/log4j/1.2.17/log4j-1.2.17.jar

Dependency Hierarchy:

• calcite-core-1.26.0.jar (Root Library)
  • uzaygezen-core-0.2.jar
    • ❌ log4j-1.2.17.jar (Vulnerable Library)

Found in base branch: master

Reachability Analysis

The vulnerable code is unreachable

Vulnerability Details

A deserialization flaw was found in Apache Chainsaw versions prior to 2.1.0 which could lead to malicious code execution.

Publish Date: 2021-06-16

URL: CVE-2020-9493

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.openwall.com/lists/oss-security/2021/06/16/1

Release Date: 2021-06-16

Fix Resolution: ch.qos.reload4j:reload4j:1.2.18.1

CVE-2019-17571

Vulnerable Library - log4j-1.2.17.jar

Apache Log4j 1.2

Library home page: http://logging.apache.org/log4j/1.2/

Path to dependency file: /calcite-tutorial-3-schema/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/log4j/log4j/1.2.17/log4j-1.2.17.jar

Dependency Hierarchy:

• calcite-core-1.26.0.jar (Root Library)
  • uzaygezen-core-0.2.jar
    • ❌ log4j-1.2.17.jar (Vulnerable Library)

Found in base branch: master

Reachability Analysis

The vulnerable code is unreachable

Vulnerability Details

Included in Log4j 1.2 is a SocketServer class that is vulnerable to deserialization of untrusted data which can be exploited to remotely execute arbitrary code when combined with a deserialization gadget when listening to untrusted network traffic for log data. This affects Log4j versions up to 1.2 up to 1.2.17.

Publish Date: 2019-12-20

URL: CVE-2019-17571

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: test

Release Date: 2019-12-20

Fix Resolution: test

CVE-2022-23305

Vulnerable Library - log4j-1.2.17.jar

Apache Log4j 1.2

Library home page: http://logging.apache.org/log4j/1.2/

Path to dependency file: /calcite-tutorial-3-schema/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/log4j/log4j/1.2.17/log4j-1.2.17.jar

Dependency Hierarchy:

• calcite-core-1.26.0.jar (Root Library)
  • uzaygezen-core-0.2.jar
    • ❌ log4j-1.2.17.jar (Vulnerable Library)

Found in base branch: master

Reachability Analysis

The vulnerable code is unreachable

Vulnerability Details

By design, the JDBCAppender in Log4j 1.2.x accepts an SQL statement as a configuration parameter where the values to be inserted are converters from PatternLayout. The message converter, %m, is likely to always be included. This allows attackers to manipulate the SQL by entering crafted strings into input fields or headers of an application that are logged allowing unintended SQL queries to be executed. Note this issue only affects Log4j 1.x when specifically configured to use the JDBCAppender, which is not the default. Beginning in version 2.0-beta8, the JDBCAppender was re-introduced with proper support for parameterized SQL queries and further customization over the columns written to in logs. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.

Publish Date: 2022-01-18

URL: CVE-2022-23305

CVSS 3 Score Details (9.6)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://reload4j.qos.ch/

Release Date: 2022-01-18

Fix Resolution: ch.qos.reload4j:reload4j:1.2.18.2

CVE-2022-23307

Vulnerable Library - log4j-1.2.17.jar

Apache Log4j 1.2

Library home page: http://logging.apache.org/log4j/1.2/

Path to dependency file: /calcite-tutorial-3-schema/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/log4j/log4j/1.2.17/log4j-1.2.17.jar

Dependency Hierarchy:

• calcite-core-1.26.0.jar (Root Library)
  • uzaygezen-core-0.2.jar
    • ❌ log4j-1.2.17.jar (Vulnerable Library)

Found in base branch: master

Reachability Analysis

The vulnerable code is unreachable

Vulnerability Details

CVE-2020-9493 identified a deserialization issue that was present in Apache Chainsaw. Prior to Chainsaw V2.0 Chainsaw was a component of Apache Log4j 1.2.x where the same issue exists.

Publish Date: 2022-01-18

URL: CVE-2022-23307

CVSS 3 Score Details (8.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2022-01-18

Fix Resolution: ch.qos.reload4j:reload4j:1.2.18.1

CVE-2022-23302

Vulnerable Library - log4j-1.2.17.jar

Apache Log4j 1.2

Library home page: http://logging.apache.org/log4j/1.2/

Path to dependency file: /calcite-tutorial-3-schema/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/log4j/log4j/1.2.17/log4j-1.2.17.jar

Dependency Hierarchy:

• calcite-core-1.26.0.jar (Root Library)
  • uzaygezen-core-0.2.jar
    • ❌ log4j-1.2.17.jar (Vulnerable Library)

Found in base branch: master

Reachability Analysis

The vulnerable code is unreachable

Vulnerability Details

JMSSink in all versions of Log4j 1.x is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration or if the configuration references an LDAP service the attacker has access to. The attacker can provide a TopicConnectionFactoryBindingName configuration causing JMSSink to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-4104. Note this issue only affects Log4j 1.x when specifically configured to use JMSSink, which is not the default. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.

Publish Date: 2022-01-18

URL: CVE-2022-23302

CVSS 3 Score Details (8.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://reload4j.qos.ch/

Release Date: 2022-01-18

Fix Resolution: ch.qos.reload4j:reload4j:1.2.18.1

CVE-2022-1471

Vulnerable Library - snakeyaml-1.24.jar

YAML 1.1 parser and emitter for Java

Library home page: http://www.snakeyaml.org

Path to dependency file: /calcite-tutorial-3-schema/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/yaml/snakeyaml/1.24/snakeyaml-1.24.jar

Dependency Hierarchy:

• calcite-core-1.26.0.jar (Root Library)
  • jackson-dataformat-yaml-2.10.0.jar
    • ❌ snakeyaml-1.24.jar (Vulnerable Library)

Found in base branch: master

Reachability Analysis

The vulnerable code is unreachable

Vulnerability Details

SnakeYaml's Constructor() class does not restrict types which can be instantiated during deserialization. Deserializing yaml content provided by an attacker can lead to remote code execution. We recommend using SnakeYaml's SafeConsturctor when parsing untrusted content to restrict deserialization. We recommend upgrading to version 2.0 and beyond.

Publish Date: 2022-12-01

URL: CVE-2022-1471

CVSS 3 Score Details (8.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://bitbucket.org/snakeyaml/snakeyaml/issues/561/cve-2022-1471-vulnerability-in#comment-64634374

Release Date: 2022-12-01

Fix Resolution (org.yaml:snakeyaml): 2.0

Direct dependency fix Resolution (org.apache.calcite:calcite-core): 1.35.0

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2023-26464

Vulnerable Library - log4j-1.2.17.jar

Apache Log4j 1.2

Library home page: http://logging.apache.org/log4j/1.2/

Path to dependency file: /calcite-tutorial-3-schema/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/log4j/log4j/1.2.17/log4j-1.2.17.jar

Dependency Hierarchy:

• calcite-core-1.26.0.jar (Root Library)
  • uzaygezen-core-0.2.jar
    • ❌ log4j-1.2.17.jar (Vulnerable Library)

Found in base branch: master

Reachability Analysis

The vulnerable code is unreachable

Vulnerability Details

** UNSUPPORTED WHEN ASSIGNED **

When using the Chainsaw or SocketAppender components with Log4j 1.x on JRE less than 1.7, an attacker that manages to cause a logging entry involving a specially-crafted (ie, deeply nested)
hashmap or hashtable (depending on which logging component is in use) to be processed could exhaust the available memory in the virtual machine and achieve Denial of Service when the object is deserialized.

This issue affects Apache Log4j before 2. Affected users are recommended to update to Log4j 2.x.

NOTE: This vulnerability only affects products that are no longer supported by the maintainer.

Publish Date: 2023-03-10

URL: CVE-2023-26464

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-vp98-w2p3-mv35

Release Date: 2023-03-10

Fix Resolution: org.apache.logging.log4j:log4j-core:2.0

CVE-2022-25857

Vulnerable Library - snakeyaml-1.24.jar

YAML 1.1 parser and emitter for Java

Library home page: http://www.snakeyaml.org

Path to dependency file: /calcite-tutorial-3-schema/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/yaml/snakeyaml/1.24/snakeyaml-1.24.jar

Dependency Hierarchy:

• calcite-core-1.26.0.jar (Root Library)
  • jackson-dataformat-yaml-2.10.0.jar
    • ❌ snakeyaml-1.24.jar (Vulnerable Library)

Found in base branch: master

Reachability Analysis

The vulnerable code is unreachable

Vulnerability Details

The package org.yaml:snakeyaml from 0 and before 1.31 are vulnerable to Denial of Service (DoS) due missing to nested depth limitation for collections.

Publish Date: 2022-08-30

URL: CVE-2022-25857

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: test

Release Date: 2022-08-30

Fix Resolution (org.yaml:snakeyaml): 1.31

Direct dependency fix Resolution (org.apache.calcite:calcite-core): 1.33.0

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2021-29425

Vulnerable Library - commons-io-2.4.jar

The Commons IO library contains utility classes, stream implementations, file filters, file comparators, endian transformation classes, and much more.

Library home page: http://commons.apache.org/io/

Path to dependency file: /calcite-tutorial-2-parser/parser-4-calcite-custom-tutorial/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/commons-io/commons-io/2.4/commons-io-2.4.jar

Dependency Hierarchy:

• calcite-core-1.26.0.jar (Root Library)
  • ❌ commons-io-2.4.jar (Vulnerable Library)

Found in base branch: master

Reachability Analysis

The vulnerable code is unreachable

Vulnerability Details

In Apache Commons IO before 2.7, When invoking the method FileNameUtils.normalize with an improper input string, like "//../foo", or "\..\foo", the result would be the same value, thus possibly providing access to files in the parent directory, but not further above (thus "limited" path traversal), if the calling code would use the result to construct a path value.

Publish Date: 2021-04-13

URL: CVE-2021-29425

CVSS 3 Score Details (4.7)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29425

Release Date: 2021-04-13

Fix Resolution (commons-io:commons-io): 2.7

Direct dependency fix Resolution (org.apache.calcite:calcite-core): 1.30.0

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2020-9488

Vulnerable Library - log4j-1.2.17.jar

Apache Log4j 1.2

Library home page: http://logging.apache.org/log4j/1.2/

Path to dependency file: /calcite-tutorial-3-schema/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/log4j/log4j/1.2.17/log4j-1.2.17.jar

Dependency Hierarchy:

• calcite-core-1.26.0.jar (Root Library)
  • uzaygezen-core-0.2.jar
    • ❌ log4j-1.2.17.jar (Vulnerable Library)

Found in base branch: master

Reachability Analysis

The vulnerable code is unreachable

Vulnerability Details

Improper validation of certificate with host mismatch in Apache Log4j SMTP appender. This could allow an SMTPS connection to be intercepted by a man-in-the-middle attack which could leak any log messages sent through that appender. Fixed in Apache Log4j 2.12.3 and 2.13.1

Publish Date: 2020-04-27

URL: CVE-2020-9488

CVSS 3 Score Details (3.7)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: None
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://reload4j.qos.ch/

Release Date: 2020-04-27

Fix Resolution: ch.qos.reload4j:reload4j:1.2.18.3

CVE-2017-18640

Vulnerable Library - snakeyaml-1.24.jar

YAML 1.1 parser and emitter for Java

Library home page: http://www.snakeyaml.org

Path to dependency file: /calcite-tutorial-3-schema/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/yaml/snakeyaml/1.24/snakeyaml-1.24.jar

Dependency Hierarchy:

• calcite-core-1.26.0.jar (Root Library)
  • jackson-dataformat-yaml-2.10.0.jar
    • ❌ snakeyaml-1.24.jar (Vulnerable Library)

Found in base branch: master

Vulnerability Details

The Alias feature in SnakeYAML before 1.26 allows entity expansion during a load operation, a related issue to CVE-2003-1564.

Publish Date: 2019-12-12

URL: CVE-2017-18640

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18640

Release Date: 2019-12-12

Fix Resolution (org.yaml:snakeyaml): 1.26

Direct dependency fix Resolution (org.apache.calcite:calcite-core): 1.31.0

⛑️ Automatic Remediation will be attempted for this issue.

---

⛑️Automatic Remediation will be attempted for this issue.