Mend.io Vulnerability Database

What is a CVE vulnerability ID? icon What is a WS vulnerability ID? icon What is an MSC vulnerability ID? icon
New vulnerability? Tell us about it!
icon

We found results for “

CVE-2020-13955

Good to know:

icon
icon

Date: October 9, 2020

HttpUtils#getURLConnection method disables explicitly hostname verification for HTTPS connections making clients vulnerable to man-in-the-middle attacks. Calcite uses internally this method to connect with Druid and Splunk so information leakage may happen when using the respective Calcite adapters. The method itself is in a utility class so people may use it to create vulnerable HTTPS connections for other applications. From Apache Calcite 1.26 onwards, the hostname verification will be performed using the default JVM truststore.

Language: Java

Severity Score

Related Resources (5)

https://issues.apache.org/jira/browse/CALCITE-4298
https://nvd.nist.gov/vuln/detail/CVE-2020-13955
https://lists.apache.org/thread.html/r0b0fbe2038388175951ce1028182d980f9e9a7328be13d52dab70bb3%40%3Cdev.calcite.apache.org%3E
https://github.com/apache/calcite/commit/43eeafcbac29d02c72bd520c003cdfc571de2d15
https://www.mend.io/vulnerability-database/CVE-2020-13955

Severity Score

Weakness Type (CWE)

Improper Certificate Validation

CWE-295

Missing Authentication for Critical Function

CWE-306

Top Fix

icon

Upgrade Version

Upgrade to version calcite-1.26.0-rc0

Learn More

CVSS v3.1

Base Score:
Attack Vector (AV): NETWORK
Attack Complexity (AC): HIGH
Privileges Required (PR): NONE
User Interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality (C): HIGH
Integrity (I): NONE
Availability (A): NONE

CVSS v2

Base Score:
Access Vector (AV): NETWORK
Access Complexity (AC): MEDIUM
Authentication (AU): NONE
Confidentiality (C): PARTIAL
Integrity (I): NONE
Availability (A): NONE
Additional information:

Do you need more information?

Contact Us