Home > Vulnerability Database > CVE-2022-39135

Mend Vulnerability Database

CVE-2022-39135

Good to know:

Date: September 11, 2022

Apache Calcite 1.22.0 introduced the SQL operators EXISTS_NODE, EXTRACT_XML, XML_TRANSFORM and EXTRACT_VALUE do not restrict XML External Entity references in their configuration, making them vulnerable to a potential XML External Entity (XXE) attack. Therefore any client exposing these operators, typically by using Oracle dialect (the first three) or MySQL dialect (the last one), is affected by this vulnerability (the extent of it will depend on the user under which the application is running). From Apache Calcite 1.32.0 onwards, Document Type Declarations and XML External Entity resolution are disabled on the impacted operators.

Language: Java

Severity Score

9.8

Related Resources (4)

Url: http://www.openwall.com/lists/oss-security/2022/11/21/3

Url: https://nvd.nist.gov/vuln/detail/CVE-2022-39135

Url: https://lists.apache.org/thread/ohdnhlgm6jvt3srw8l7spkm2d5vwm082

Url: https://www.mend.io/vulnerability-database/CVE-2022-39135

Severity Score

9.8

Weakness Type (CWE)

Improper Restriction of XML External Entity Reference ('XXE')

CWE-611

Top Fix

Upgrade Version

Upgrade to version org.apache.calcite:calcite-core:1.32.0

Learn More

CVSS v3.1

Base Score:	9.8
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	HIGH
Integrity (I):	HIGH
Availability (A):	HIGH

Mend Vulnerability Database

We found results for “”

CVE-2022-39135

Good to know:

Date: September 11, 2022

Language: Java

Severity Score

Related Resources (4)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?