Lucene search
ApacheCVELIST:CVE-2022-39135HistorySep 11, 2022 - 12:00 a.m.
CVE-2022-39135 Apache Calcite: potential XEE attacks
2022-09-1100:00:00
CWE-611
apache
www.cve.org
1
Apache Calcite 1.22.0 introduced the SQL operators EXISTS_NODE, EXTRACT_XML, XML_TRANSFORM and EXTRACT_VALUE do not restrict XML External Entity references in their configuration, making them vulnerable to a potential XML External Entity (XXE) attack. Therefore any client exposing these operators, typically by using Oracle dialect (the first three) or MySQL dialect (the last one), is affected by this vulnerability (the extent of it will depend on the user under which the application is running). From Apache Calcite 1.32.0 onwards, Document Type Declarations and XML External Entity resolution are disabled on the impacted operators.
CNA Affected
[
{
"product": "Apache Calcite",
"vendor": "Apache Software Foundation",
"versions": [
{
"version": "1.22.0",
"lessThan": "1.32.0",
"status": "affected",
"versionType": "custom"
}
]
}
]Related
veracode
veracode
XML External Entity (XXE)
2022-09-12 05:15:01
prion
prion
Xxe
2022-09-11 12:15:00
nvd
nvd
CVE-2022-39135
2022-09-11 12:15:08
github
github
osv
osv
CVE-2022-39135
2022-09-11 12:15:08
cve
cve
CVE-2022-39135
2022-09-11 12:15:08
redhatcve
redhatcve
CVE-2022-39135
2022-09-13 19:43:00
ibm
ibm
nessus
nessus
Oracle Essbase (April 2023 CPU)
2023-04-20 00:00:00
IBM Cognos Analytics Multiple Vulnerabilities (6986505)
2023-05-12 00:00:00
oracle
oracle
Oracle Critical Patch Update Advisory - July 2023
2023-07-18 00:00:00
Oracle Critical Patch Update Advisory - April 2023
2023-04-18 00:00:00