Main Vulnerability Database Vulnerabilities #VU65864

#VU65864 Code Injection in Apache Calcite Avatica - CVE-2022-36364

Published: July 28, 2022

Vulnerability identifier: #VU65864

Vulnerability risk: Medium

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2022-36364

CWE-ID: CWE-94

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
Apache Calcite Avatica

Software vendor:
Apache Foundation

Description

The vulnerability allows a remote user to execute arbitrary code on the target system.

The vulnerability exists due to improper input validation in JDBC driver, which creates HTTP client instances based on class names provided via "httpclient_impl" connection property. The driver does not verify if the class implements the expected interface before instantiating it. A remote user with ability to control JDBC connection parameters can inject arbitrary class name and execute code on the system.

Remediation

Install updates from vendor's website.

External links

https://seclists.org/oss-sec/2022/q3/75

#VU65864 Code Injection in Apache Calcite Avatica - CVE-2022-36364

Description

Remediation

External links

Please verify you're human