Main Vulnerability Database Vulnerabilities #VU47648

#VU47648 Improper Certificate Validation in Calcite - CVE-2020-13955

Published: October 9, 2020 / Updated: October 15, 2020

Vulnerability identifier: #VU47648

Vulnerability risk: Medium

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2020-13955

CWE-ID: CWE-295

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
Calcite

Software vendor:
Apache Foundation

Description

The vulnerability allows a remote attacker to perform MitM attack.

The vulnerability exists due to HttpUtils#getURLConnection method disables explicitly hostname verification for HTTPS connections making clients vulnerable to man-in-the-middle attacks. Calcite uses internally this method to connect with Druid and Splunk so information leakage may happen when using the respective Calcite adapters.

Remediation

Install updates from vendor's website.

External links

https://lists.apache.org/thread.html/r0b0fbe2038388175951ce1028182d980f9e9a7328be13d52dab70bb3%40%3Cdev.calcite.apache.org%3E

#VU47648 Improper Certificate Validation in Calcite - CVE-2020-13955

Description

Remediation

External links

Please verify you're human