Vulnerable Library - calcite-core-1.26.0.jar Path to dependency file: /calcite-tutorial-3-schema/pom.xml Path to vulnerable library: /home/wss-scanner/.m2/repository/log4j/log4j/1.2.17/log4j-1.2.17.jar ## Vulnerabilities | CVE | Severity | CVSS | Dependency | Type | Fixed in (calcite-core version) | Remediation Possible** | Reachability | | ------------- | ------------- | ----- | ----- | ----- | ------------- | --- | --- | | [CVE-2022-42004](https://www.mend.io/vulnerability-database/CVE-2022-42004) | High | 7.5 | jackson-databind-2.10.0.jar | Transitive | 1.33.0 | ✅| Reachable | | [CVE-2022-42003](https://www.mend.io/vulnerability-database/CVE-2022-42003) | High | 7.5 | jackson-databind-2.10.0.jar | Transitive | 1.33.0 | ✅| Reachable | | [CVE-2022-3509](https://www.mend.io/vulnerability-database/CVE-2022-3509) | High | 7.5 | protobuf-java-3.6.1.jar | Transitive | 1.28.0 | ✅| Reachable | | [CVE-2021-46877](https://www.mend.io/vulnerability-database/CVE-2021-46877) | High | 7.5 | jackson-databind-2.10.0.jar | Transitive | 1.33.0 | ✅| Reachable | | [CVE-2021-22569](https://www.mend.io/vulnerability-database/CVE-2021-22569) | High | 7.5 | protobuf-java-3.6.1.jar | Transitive | 1.28.0 | ✅| Reachable | | [CVE-2020-36518](https://www.mend.io/vulnerability-database/CVE-2020-36518) | High | 7.5 | jackson-databind-2.10.0.jar | Transitive | 1.33.0 | ✅| Reachable | | [WS-2019-0379](https://github.com/apache/commons-codec/commit/48b615756d1d770091ea3322eefc08011ee8b113) | Medium | 6.5 | commons-codec-1.12.jar | Transitive | 1.27.0 | ✅| Reachable | | [CVE-2021-27568](https://www.mend.io/vulnerability-database/CVE-2021-27568) | Medium | 5.9 | json-smart-2.3.jar | Transitive | 1.30.0 | ✅| Reachable | | [CVE-2022-3171](https://www.mend.io/vulnerability-database/CVE-2022-3171) | Medium | 4.3 | protobuf-java-3.6.1.jar | Transitive | 1.28.0 | ✅| Reachable | | [WS-2020-0287](https://issues.apache.org/jira/browse/DBCP-562) | Low | 3.0 | commons-dbcp2-2.6.0.jar | Transitive | 1.36.0 | ✅| Reachable | | [CVE-2020-9493](https://www.mend.io/vulnerability-database/CVE-2020-9493) | Critical | 9.8 | log4j-1.2.17.jar | Transitive | N/A* | ❌| Unreachable | | [CVE-2019-17571](https://www.mend.io/vulnerability-database/CVE-2019-17571) | Critical | 9.8 | log4j-1.2.17.jar | Transitive | N/A* | ❌| Unreachable | | [CVE-2022-23305](https://www.mend.io/vulnerability-database/CVE-2022-23305) | Critical | 9.6 | log4j-1.2.17.jar | Transitive | N/A* | ❌| Unreachable | | [CVE-2022-23307](https://www.mend.io/vulnerability-database/CVE-2022-23307) | High | 8.8 | log4j-1.2.17.jar | Transitive | N/A* | ❌| Unreachable | | [CVE-2022-23302](https://www.mend.io/vulnerability-database/CVE-2022-23302) | High | 8.8 | log4j-1.2.17.jar | Transitive | N/A* | ❌| Unreachable | | [CVE-2022-1471](https://www.mend.io/vulnerability-database/CVE-2022-1471) | High | 8.3 | snakeyaml-1.24.jar | Transitive | 1.35.0 | ✅| Unreachable | | [CVE-2023-26464](https://www.mend.io/vulnerability-database/CVE-2023-26464) | High | 7.5 | log4j-1.2.17.jar | Transitive | N/A* | ❌| Unreachable | | [CVE-2022-25857](https://www.mend.io/vulnerability-database/CVE-2022-25857) | High | 7.5 | snakeyaml-1.24.jar | Transitive | 1.33.0 | ✅| Unreachable | | [CVE-2021-29425](https://www.mend.io/vulnerability-database/CVE-2021-29425) | Medium | 4.7 | commons-io-2.4.jar | Transitive | 1.30.0 | ✅| Unreachable | | [CVE-2020-9488](https://www.mend.io/vulnerability-database/CVE-2020-9488) | Low | 3.7 | log4j-1.2.17.jar | Transitive | N/A* | ❌| Unreachable | | [CVE-2017-18640](https://www.mend.io/vulnerability-database/CVE-2017-18640) | High | 7.5 | snakeyaml-1.24.jar | Transitive | 1.31.0 | ✅| | | [CVE-2018-10237](https://www.mend.io/vulnerability-database/CVE-2018-10237) | Medium | 5.9 | guava-23.0.jar | Transitive | N/A* | ❌| | | [CVE-2020-13956](https://www.mend.io/vulnerability-database/CVE-2020-13956) | Medium | 5.3 | detected in multiple dependencies | Transitive | 1.31.0 | ✅| | *For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation ## Details > Partial details (21 vulnerabilities) are displayed below due to a content size limitation in GitHub. To view information on the remaining vulnerabilities, navigate to the Mend Application. CVE-2022-42004 ### Vulnerable Library - jackson-databind-2.10.0.jar General data-binding functionality for Jackson: works on core streaming API Library home page: http://github.com/FasterXML/jackson Path to dependency file: /calcite-tutorial-9-rule/pom.xml Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.10.0/jackson-databind-2.10.0.jar Dependency Hierarchy: - calcite-core-1.26.0.jar (Root Library) - calcite-linq4j-1.26.0.jar - avatica-core-1.17.0.jar - :x: **jackson-databind-2.10.0.jar** (Vulnerable Library) Found in base branch: master ### Reachability Analysis This vulnerability is potentially reachable ``` com.github.quxiucheng.calcite.schema.tutorial.ModelHandlerTest (Application) -> com.fasterxml.jackson.databind.ObjectMapper (Extension) -> com.fasterxml.jackson.databind.introspect.JacksonAnnotationIntrospector (Extension) -> ❌ com.fasterxml.jackson.databind.ser.impl.AttributePropertyWriter (Vulnerable Component) ``` ### Vulnerability Details In FasterXML jackson-databind before 2.13.4, resource exhaustion can occur because of a lack of a check in BeanDeserializer._deserializeFromArray to prevent use of deeply nested arrays. An application is vulnerable only with certain customized choices for deserialization. Publish Date: 2022-10-02 URL: CVE-2022-42004 ### CVSS 3 Score Details (7.5) Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High For more information on CVSS3 Scores, click here. ### Suggested Fix Type: Upgrade version Release Date: 2022-10-02 Fix Resolution (com.fasterxml.jackson.core:jackson-databind): 2.12.7.1 Direct dependency fix Resolution (org.apache.calcite:calcite-core): 1.33.0 :rescue_worker_helmet: Automatic Remediation will be attempted for this issue. CVE-2022-42003 ### Vulnerable Library - jackson-databind-2.10.0.jar General data-binding functionality for Jackson: works on core streaming API Library home page: http://github.com/FasterXML/jackson Path to dependency file: /calcite-tutorial-9-rule/pom.xml Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.10.0/jackson-databind-2.10.0.jar Dependency Hierarchy: - calcite-core-1.26.0.jar (Root Library) - calcite-linq4j-1.26.0.jar - avatica-core-1.17.0.jar - :x: **jackson-databind-2.10.0.jar** (Vulnerable Library) Found in base branch: master ### Reachability Analysis This vulnerability is potentially reachable ``` com.github.quxiucheng.calcite.schema.tutorial.ModelHandlerTest (Application) -> org.apache.calcite.model.JsonRoot (Extension) -> org.apache.calcite.model.JsonSchema (Extension) -> org.apache.logging.log4j.core.config.LoggerConfig (Extension) ... -> org.apache.logging.log4j.core.jackson.LogEventWithContextListMixIn (Extension) -> org.apache.logging.log4j.core.jackson.ContextDataAsEntryListDeserializer (Extension) -> ❌ com.fasterxml.jackson.databind.deser.std.StdDeserializer (Vulnerable Component) ``` ### Vulnerability Details In FasterXML jackson-databind before versions 2.13.4.1 and 2.12.17.1, resource exhaustion can occur because of a lack of a check in primitive value deserializers to avoid deep wrapper array nesting, when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled. Publish Date: 2022-10-02 URL: CVE-2022-42003 ### CVSS 3 Score Details (7.5) Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High For more information on CVSS3 Scores, click here. ### Suggested Fix Type: Upgrade version Release Date: 2022-10-02 Fix Resolution (com.fasterxml.jackson.core:jackson-databind): 2.12.7.1 Direct dependency fix Resolution (org.apache.calcite:calcite-core): 1.33.0 :rescue_worker_helmet: Automatic Remediation will be attempted for this issue. CVE-2022-3509 ### Vulnerable Library - protobuf-java-3.6.1.jar Core Protocol Buffers library. Protocol Buffers are a way of encoding structured data in an efficient yet extensible format. Library home page: https://developers.google.com/protocol-buffers/ Path to dependency file: /calcite-tutorial-2-parser/parser-3-calcite-tutorial/pom.xml Path to vulnerable library: /home/wss-scanner/.m2/repository/com/google/protobuf/protobuf-java/3.6.1/protobuf-java-3.6.1.jar Dependency Hierarchy: - calcite-core-1.26.0.jar (Root Library) - calcite-linq4j-1.26.0.jar - avatica-core-1.17.0.jar - :x: **protobuf-java-3.6.1.jar** (Vulnerable Library) Found in base branch: master ### Reachability Analysis This vulnerability is potentially reachable ``` com.github.quxiucheng.calcite.validator.tutorial.IdentifierExpansionSample (Application) -> org.apache.calcite.server.CalciteServerStatement (Extension) -> org.apache.calcite.avatica.Meta$Signature (Extension) -> org.apache.calcite.avatica.proto.Common$AvaticaParameter (Extension) -> com.google.protobuf.ExtensionRegistryLite (Extension) -> com.google.protobuf.GeneratedMessageLite (Extension) -> ❌ com.google.protobuf.Internal$IntList (Vulnerable Component) ``` ### Vulnerability Details A parsing issue similar to CVE-2022-3171, but with textformat in protobuf-java core and lite versions prior to 3.21.7, 3.20.3, 3.19.6 and 3.16.3 can lead to a denial of service attack. Inputs containing multiple instances of non-repeated embedded messages with repeated or unknown fields causes objects to be converted back-n-forth between mutable and immutable forms, resulting in potentially long garbage collection pauses. We recommend updating to the versions mentioned above. Publish Date: 2022-11-01 URL: CVE-2022-3509 ### CVSS 3 Score Details (7.5) Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High For more information on CVSS3 Scores, click here. ### Suggested Fix Type: Upgrade version Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3509 Release Date: 2022-12-12 Fix Resolution (com.google.protobuf:protobuf-java): 3.16.3 Direct dependency fix Resolution (org.apache.calcite:calcite-core): 1.28.0 :rescue_worker_helmet: Automatic Remediation will be attempted for this issue. CVE-2021-46877 ### Vulnerable Library - jackson-databind-2.10.0.jar General data-binding functionality for Jackson: works on core streaming API Library home page: http://github.com/FasterXML/jackson Path to dependency file: /calcite-tutorial-9-rule/pom.xml Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.10.0/jackson-databind-2.10.0.jar Dependency Hierarchy: - calcite-core-1.26.0.jar (Root Library) - calcite-linq4j-1.26.0.jar - avatica-core-1.17.0.jar - :x: **jackson-databind-2.10.0.jar** (Vulnerable Library) Found in base branch: master ### Reachability Analysis This vulnerability is potentially reachable ``` com.github.quxiucheng.calcite.schema.tutorial.ModelHandlerTest (Application) -> com.fasterxml.jackson.databind.ObjectMapper (Extension) -> com.fasterxml.jackson.databind.node.ArrayNode (Extension) -> com.fasterxml.jackson.databind.node.BaseJsonNode (Extension) -> ❌ com.fasterxml.jackson.databind.node.NodeSerialization (Vulnerable Component) ``` ### Vulnerability Details jackson-databind 2.10.x through 2.12.x before 2.12.6 and 2.13.x before 2.13.1 allows attackers to cause a denial of service (2 GB transient heap usage per read) in uncommon situations involving JsonNode JDK serialization. Publish Date: 2023-03-18 URL: CVE-2021-46877 ### CVSS 3 Score Details (7.5) Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High For more information on CVSS3 Scores, click here. ### Suggested Fix Type: Upgrade version Origin: https://www.cve.org/CVERecord?id=CVE-2021-46877 Release Date: 2023-03-18 Fix Resolution (com.fasterxml.jackson.core:jackson-databind): 2.12.6 Direct dependency fix Resolution (org.apache.calcite:calcite-core): 1.33.0 :rescue_worker_helmet: Automatic Remediation will be attempted for this issue. CVE-2021-22569 ### Vulnerable Library - protobuf-java-3.6.1.jar Core Protocol Buffers library. Protocol Buffers are a way of encoding structured data in an efficient yet extensible format. Library home page: https://developers.google.com/protocol-buffers/ Path to dependency file: /calcite-tutorial-2-parser/parser-3-calcite-tutorial/pom.xml Path to vulnerable library: /home/wss-scanner/.m2/repository/com/google/protobuf/protobuf-java/3.6.1/protobuf-java-3.6.1.jar Dependency Hierarchy: - calcite-core-1.26.0.jar (Root Library) - calcite-linq4j-1.26.0.jar - avatica-core-1.17.0.jar - :x: **protobuf-java-3.6.1.jar** (Vulnerable Library) Found in base branch: master ### Reachability Analysis This vulnerability is potentially reachable ``` com.github.quxiucheng.calcite.validator.tutorial.IdentifierExpansionSample (Application) -> org.apache.calcite.jdbc.CalcitePrepare (Extension) -> org.apache.calcite.jdbc.CalcitePrepare$CalciteSignature (Extension) -> org.apache.calcite.avatica.Meta$Signature (Extension) ... -> com.google.protobuf.Descriptors$DescriptorValidationException (Extension) -> com.google.protobuf.DescriptorProtos$FileDescriptorProto (Extension) -> ❌ com.google.protobuf.UnknownFieldSet (Vulnerable Component) ``` ### Vulnerability Details An issue in protobuf-java allowed the interleaving of com.google.protobuf.UnknownFieldSet fields in such a way that would be processed out of order. A small malicious payload can occupy the parser for several minutes by creating large numbers of short-lived objects that cause frequent, repeated pauses. We recommend upgrading libraries beyond the vulnerable versions. Publish Date: 2022-01-07 URL: CVE-2021-22569 ### CVSS 3 Score Details (7.5) Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High For more information on CVSS3 Scores, click here. ### Suggested Fix Type: Upgrade version Origin: https://github.com/advisories/GHSA-wrvw-hg22-4m67 Release Date: 2022-01-10 Fix Resolution (com.google.protobuf:protobuf-java): 3.16.1 Direct dependency fix Resolution (org.apache.calcite:calcite-core): 1.28.0 :rescue_worker_helmet: Automatic Remediation will be attempted for this issue. CVE-2020-36518 ### Vulnerable Library - jackson-databind-2.10.0.jar General data-binding functionality for Jackson: works on core streaming API Library home page: http://github.com/FasterXML/jackson Path to dependency file: /calcite-tutorial-9-rule/pom.xml Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.10.0/jackson-databind-2.10.0.jar Dependency Hierarchy: - calcite-core-1.26.0.jar (Root Library) - calcite-linq4j-1.26.0.jar - avatica-core-1.17.0.jar - :x: **jackson-databind-2.10.0.jar** (Vulnerable Library) Found in base branch: master ### Reachability Analysis This vulnerability is potentially reachable ``` com.github.quxiucheng.calcite.schema.tutorial.ModelHandlerTest (Application) -> com.fasterxml.jackson.databind.ObjectMapper (Extension) -> com.fasterxml.jackson.databind.deser.BeanDeserializerFactory (Extension) -> com.fasterxml.jackson.databind.deser.BasicDeserializerFactory (Extension) -> com.fasterxml.jackson.databind.deser.std.UntypedObjectDeserializer (Extension) -> ❌ com.fasterxml.jackson.databind.deser.std.UntypedObjectDeserializer$Vanilla (Vulnerable Component) ``` ### Vulnerability Details jackson-databind before 2.13.0 allows a Java StackOverflow exception and denial of service via a large depth of nested objects. Mend Note: After conducting further research, Mend has determined that all versions of com.fasterxml.jackson.core:jackson-databind up to version 2.13.2 are vulnerable to CVE-2020-36518. Publish Date: 2022-03-11 URL: CVE-2020-36518 ### CVSS 3 Score Details (7.5) Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High For more information on CVSS3 Scores, click here. ### Suggested Fix Type: Upgrade version Release Date: 2022-03-11 Fix Resolution (com.fasterxml.jackson.core:jackson-databind): 2.12.6.1 Direct dependency fix Resolution (org.apache.calcite:calcite-core): 1.33.0 :rescue_worker_helmet: Automatic Remediation will be attempted for this issue. WS-2019-0379 ### Vulnerable Library - commons-codec-1.12.jar The Apache Commons Codec package contains simple encoder and decoders for various formats such as Base64 and Hexadecimal. In addition to these widely used encoders and decoders, the codec package also maintains a collection of phonetic encoding utilities. Library home page: http://commons.apache.org/proper/commons-codec/ Path to dependency file: /calcite-tutorial-3-schema/pom.xml Path to vulnerable library: /home/wss-scanner/.m2/repository/commons-codec/commons-codec/1.12/commons-codec-1.12.jar Dependency Hierarchy: - calcite-core-1.26.0.jar (Root Library) - calcite-linq4j-1.26.0.jar - avatica-core-1.17.0.jar - httpclient-4.5.9.jar - :x: **commons-codec-1.12.jar** (Vulnerable Library) Found in base branch: master ### Reachability Analysis This vulnerability is potentially reachable ``` com.github.quxiucheng.calcite.validator.tutorial.IdentifierExpansionSample (Application) -> org.apache.calcite.jdbc.CalcitePrepare (Extension) -> org.apache.calcite.jdbc.CalcitePrepare$ConvertResult (Extension) -> org.apache.calcite.avatica.remote.AvaticaHttpClientFactoryImpl (Extension) ... -> org.apache.http.impl.auth.SPNegoSchemeFactory (Extension) -> org.apache.http.impl.auth.SPNegoScheme (Extension) -> ❌ org.apache.commons.codec.binary.Base64 (Vulnerable Component) ``` ### Vulnerability Details Apache commons-codec before version “commons-codec-1.13-RC1” is vulnerable to information disclosure due to Improper Input validation. Publish Date: 2019-05-20 URL: WS-2019-0379 ### CVSS 3 Score Details (6.5) Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: Low - Availability Impact: None For more information on CVSS3 Scores, click here. ### Suggested Fix Type: Upgrade version Release Date: 2019-05-20 Fix Resolution (commons-codec:commons-codec): 1.13 Direct dependency fix Resolution (org.apache.calcite:calcite-core): 1.27.0 :rescue_worker_helmet: Automatic Remediation will be attempted for this issue. CVE-2021-27568 ### Vulnerable Library - json-smart-2.3.jar JSON (JavaScript Object Notation) is a lightweight data-interchange format. It is easy for humans to read and write. It is easy for machines to parse and generate. It is based on a subset of the JavaScript Programming Language, Standard ECMA-262 3rd Edition - December 1999. JSON is a text format that is completely language independent but uses conventions that are familiar to programmers of the C-family of languages, including C, C++, C#, Java, JavaScript, Perl, Python, and many others. These properties make JSON an ideal data-interchange language. Library home page: http://www.minidev.net/ Path to dependency file: /calcite-tutorial-4-validator/validator-1-calcite-validator/pom.xml Path to vulnerable library: /home/wss-scanner/.m2/repository/net/minidev/json-smart/2.3/json-smart-2.3.jar Dependency Hierarchy: - calcite-core-1.26.0.jar (Root Library) - json-path-2.4.0.jar - :x: **json-smart-2.3.jar** (Vulnerable Library) Found in base branch: master ### Reachability Analysis This vulnerability is potentially reachable ``` com.github.quxiucheng.calcite.schema.tutorial.TutorialTableSchema (Application) -> org.apache.calcite.schema.impl.AbstractSchema (Extension) -> org.apache.calcite.schema.Function (Extension) -> com.jayway.jsonpath.internal.DefaultsImpl (Extension) ... -> net.minidev.json.parser.JSONParser (Extension) -> net.minidev.json.parser.JSONParserReader (Extension) -> ❌ net.minidev.json.parser.JSONParserBase (Vulnerable Component) ``` ### Vulnerability Details An issue was discovered in netplex json-smart-v1 through 2015-10-23 and json-smart-v2 through 2.4. An exception is thrown from a function, but it is not caught, as demonstrated by NumberFormatException. When it is not caught, it may cause programs using the library to crash or expose sensitive information. Publish Date: 2021-02-23 URL: CVE-2021-27568 ### CVSS 3 Score Details (5.9) Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High For more information on CVSS3 Scores, click here. ### Suggested Fix Type: Upgrade version Release Date: 2021-02-23 Fix Resolution (net.minidev:json-smart): 2.3.1 Direct dependency fix Resolution (org.apache.calcite:calcite-core): 1.30.0 :rescue_worker_helmet: Automatic Remediation will be attempted for this issue. CVE-2022-3171 ### Vulnerable Library - protobuf-java-3.6.1.jar Core Protocol Buffers library. Protocol Buffers are a way of encoding structured data in an efficient yet extensible format. Library home page: https://developers.google.com/protocol-buffers/ Path to dependency file: /calcite-tutorial-2-parser/parser-3-calcite-tutorial/pom.xml Path to vulnerable library: /home/wss-scanner/.m2/repository/com/google/protobuf/protobuf-java/3.6.1/protobuf-java-3.6.1.jar Dependency Hierarchy: - calcite-core-1.26.0.jar (Root Library) - calcite-linq4j-1.26.0.jar - avatica-core-1.17.0.jar - :x: **protobuf-java-3.6.1.jar** (Vulnerable Library) Found in base branch: master ### Reachability Analysis This vulnerability is potentially reachable ``` com.github.quxiucheng.calcite.validator.tutorial.IdentifierExpansionSample (Application) -> org.apache.calcite.server.CalciteServerStatement (Extension) -> org.apache.calcite.avatica.Meta$Signature (Extension) -> org.apache.calcite.avatica.proto.Common$AvaticaParameter (Extension) -> com.google.protobuf.ExtensionRegistryLite (Extension) -> com.google.protobuf.GeneratedMessageLite (Extension) -> ❌ com.google.protobuf.Internal$IntList (Vulnerable Component) ``` ### Vulnerability Details A parsing issue with binary data in protobuf-java core and lite versions prior to 3.21.7, 3.20.3, 3.19.6 and 3.16.3 can lead to a denial of service attack. Inputs containing multiple instances of non-repeated embedded messages with repeated or unknown fields causes objects to be converted back-n-forth between mutable and immutable forms, resulting in potentially long garbage collection pauses. We recommend updating to the versions mentioned above. Publish Date: 2022-10-12 URL: CVE-2022-3171 ### CVSS 3 Score Details (4.3) Base Score Metrics: - Exploitability Metrics: - Attack Vector: Adjacent - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: Low For more information on CVSS3 Scores, click here. ### Suggested Fix Type: Upgrade version Origin: https://github.com/advisories/GHSA-h4h5-3hr4-j3g2 Release Date: 2022-10-12 Fix Resolution (com.google.protobuf:protobuf-java): 3.16.3 Direct dependency fix Resolution (org.apache.calcite:calcite-core): 1.28.0 :rescue_worker_helmet: Automatic Remediation will be attempted for this issue. WS-2020-0287 ### Vulnerable Library - commons-dbcp2-2.6.0.jar Apache Commons DBCP software implements Database Connection Pooling Path to dependency file: /calcite-tutorial-4-validator/validator-1-calcite-validator/pom.xml Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/commons/commons-dbcp2/2.6.0/commons-dbcp2-2.6.0.jar Dependency Hierarchy: - calcite-core-1.26.0.jar (Root Library) - :x: **commons-dbcp2-2.6.0.jar** (Vulnerable Library) Found in base branch: master ### Reachability Analysis This vulnerability is potentially reachable ``` com.github.quxiucheng.tutorial.common.catalog.TutorialCalciteCatalogReader (Application) -> org.apache.calcite.jdbc.CalciteSchema (Extension) -> org.apache.calcite.jdbc.CalciteSchema$SchemaPlusImpl (Extension) -> org.apache.calcite.adapter.jdbc.JdbcSchema (Extension) -> org.apache.calcite.adapter.jdbc.JdbcUtils$DataSourcePool (Extension) -> ❌ org.apache.commons.dbcp2.BasicDataSource (Vulnerable Component) ``` ### Vulnerability Details Apache commons-dbcp through 2.8.0 exposes sensitive information via JMX. If a BasicDataSource is created with jmxName set, password property is exposed/exported via jmx and is visible for everybody who is connected to jmx port. Publish Date: 2020-03-04 URL: WS-2020-0287 ### CVSS 3 Score Details (3.0) Base Score Metrics: - Exploitability Metrics: - Attack Vector: Adjacent - Attack Complexity: Low - Privileges Required: Low - User Interaction: Required - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: None - Availability Impact: None For more information on CVSS3 Scores, click here. ### Suggested Fix Type: Upgrade version Origin: https://nvd.nist.gov/vuln/detail/WS-2020-0287 Release Date: 2020-03-04 Fix Resolution (org.apache.commons:commons-dbcp2): 2.9.0 Direct dependency fix Resolution (org.apache.calcite:calcite-core): 1.36.0 :rescue_worker_helmet: Automatic Remediation will be attempted for this issue. CVE-2020-9493 ### Vulnerable Library - log4j-1.2.17.jar Apache Log4j 1.2 Library home page: http://logging.apache.org/log4j/1.2/ Path to dependency file: /calcite-tutorial-3-schema/pom.xml Path to vulnerable library: /home/wss-scanner/.m2/repository/log4j/log4j/1.2.17/log4j-1.2.17.jar Dependency Hierarchy: - calcite-core-1.26.0.jar (Root Library) - uzaygezen-core-0.2.jar - :x: **log4j-1.2.17.jar** (Vulnerable Library) Found in base branch: master ### Reachability Analysis The vulnerable code is unreachable ### Vulnerability Details A deserialization flaw was found in Apache Chainsaw versions prior to 2.1.0 which could lead to malicious code execution. Publish Date: 2021-06-16 URL: CVE-2020-9493 ### CVSS 3 Score Details (9.8) Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High For more information on CVSS3 Scores, click here. ### Suggested Fix Type: Upgrade version Origin: https://www.openwall.com/lists/oss-security/2021/06/16/1 Release Date: 2021-06-16 Fix Resolution: ch.qos.reload4j:reload4j:1.2.18.1 CVE-2019-17571 ### Vulnerable Library - log4j-1.2.17.jar Apache Log4j 1.2 Library home page: http://logging.apache.org/log4j/1.2/ Path to dependency file: /calcite-tutorial-3-schema/pom.xml Path to vulnerable library: /home/wss-scanner/.m2/repository/log4j/log4j/1.2.17/log4j-1.2.17.jar Dependency Hierarchy: - calcite-core-1.26.0.jar (Root Library) - uzaygezen-core-0.2.jar - :x: **log4j-1.2.17.jar** (Vulnerable Library) Found in base branch: master ### Reachability Analysis The vulnerable code is unreachable ### Vulnerability Details Included in Log4j 1.2 is a SocketServer class that is vulnerable to deserialization of untrusted data which can be exploited to remotely execute arbitrary code when combined with a deserialization gadget when listening to untrusted network traffic for log data. This affects Log4j versions up to 1.2 up to 1.2.17. Publish Date: 2019-12-20 URL: CVE-2019-17571 ### CVSS 3 Score Details (9.8) Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High For more information on CVSS3 Scores, click here. ### Suggested Fix Type: Upgrade version Origin: test Release Date: 2019-12-20 Fix Resolution: test CVE-2022-23305 ### Vulnerable Library - log4j-1.2.17.jar Apache Log4j 1.2 Library home page: http://logging.apache.org/log4j/1.2/ Path to dependency file: /calcite-tutorial-3-schema/pom.xml Path to vulnerable library: /home/wss-scanner/.m2/repository/log4j/log4j/1.2.17/log4j-1.2.17.jar Dependency Hierarchy: - calcite-core-1.26.0.jar (Root Library) - uzaygezen-core-0.2.jar - :x: **log4j-1.2.17.jar** (Vulnerable Library) Found in base branch: master ### Reachability Analysis The vulnerable code is unreachable ### Vulnerability Details By design, the JDBCAppender in Log4j 1.2.x accepts an SQL statement as a configuration parameter where the values to be inserted are converters from PatternLayout. The message converter, %m, is likely to always be included. This allows attackers to manipulate the SQL by entering crafted strings into input fields or headers of an application that are logged allowing unintended SQL queries to be executed. Note this issue only affects Log4j 1.x when specifically configured to use the JDBCAppender, which is not the default. Beginning in version 2.0-beta8, the JDBCAppender was re-introduced with proper support for parameterized SQL queries and further customization over the columns written to in logs. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions. Publish Date: 2022-01-18 URL: CVE-2022-23305 ### CVSS 3 Score Details (9.6) Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: Low - User Interaction: None - Scope: Changed - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: High - Availability Impact: High For more information on CVSS3 Scores, click here. ### Suggested Fix Type: Upgrade version Origin: https://reload4j.qos.ch/ Release Date: 2022-01-18 Fix Resolution: ch.qos.reload4j:reload4j:1.2.18.2 CVE-2022-23307 ### Vulnerable Library - log4j-1.2.17.jar Apache Log4j 1.2 Library home page: http://logging.apache.org/log4j/1.2/ Path to dependency file: /calcite-tutorial-3-schema/pom.xml Path to vulnerable library: /home/wss-scanner/.m2/repository/log4j/log4j/1.2.17/log4j-1.2.17.jar Dependency Hierarchy: - calcite-core-1.26.0.jar (Root Library) - uzaygezen-core-0.2.jar - :x: **log4j-1.2.17.jar** (Vulnerable Library) Found in base branch: master ### Reachability Analysis The vulnerable code is unreachable ### Vulnerability Details CVE-2020-9493 identified a deserialization issue that was present in Apache Chainsaw. Prior to Chainsaw V2.0 Chainsaw was a component of Apache Log4j 1.2.x where the same issue exists. Publish Date: 2022-01-18 URL: CVE-2022-23307 ### CVSS 3 Score Details (8.8) Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: Low - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High For more information on CVSS3 Scores, click here. ### Suggested Fix Type: Upgrade version Release Date: 2022-01-18 Fix Resolution: ch.qos.reload4j:reload4j:1.2.18.1 CVE-2022-23302 ### Vulnerable Library - log4j-1.2.17.jar Apache Log4j 1.2 Library home page: http://logging.apache.org/log4j/1.2/ Path to dependency file: /calcite-tutorial-3-schema/pom.xml Path to vulnerable library: /home/wss-scanner/.m2/repository/log4j/log4j/1.2.17/log4j-1.2.17.jar Dependency Hierarchy: - calcite-core-1.26.0.jar (Root Library) - uzaygezen-core-0.2.jar - :x: **log4j-1.2.17.jar** (Vulnerable Library) Found in base branch: master ### Reachability Analysis The vulnerable code is unreachable ### Vulnerability Details JMSSink in all versions of Log4j 1.x is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration or if the configuration references an LDAP service the attacker has access to. The attacker can provide a TopicConnectionFactoryBindingName configuration causing JMSSink to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-4104. Note this issue only affects Log4j 1.x when specifically configured to use JMSSink, which is not the default. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions. Publish Date: 2022-01-18 URL: CVE-2022-23302 ### CVSS 3 Score Details (8.8) Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: Low - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High For more information on CVSS3 Scores, click here. ### Suggested Fix Type: Upgrade version Origin: https://reload4j.qos.ch/ Release Date: 2022-01-18 Fix Resolution: ch.qos.reload4j:reload4j:1.2.18.1 CVE-2022-1471 ### Vulnerable Library - snakeyaml-1.24.jar YAML 1.1 parser and emitter for Java Library home page: http://www.snakeyaml.org Path to dependency file: /calcite-tutorial-3-schema/pom.xml Path to vulnerable library: /home/wss-scanner/.m2/repository/org/yaml/snakeyaml/1.24/snakeyaml-1.24.jar Dependency Hierarchy: - calcite-core-1.26.0.jar (Root Library) - jackson-dataformat-yaml-2.10.0.jar - :x: **snakeyaml-1.24.jar** (Vulnerable Library) Found in base branch: master ### Reachability Analysis The vulnerable code is unreachable ### Vulnerability Details SnakeYaml's Constructor() class does not restrict types which can be instantiated during deserialization. Deserializing yaml content provided by an attacker can lead to remote code execution. We recommend using SnakeYaml's SafeConsturctor when parsing untrusted content to restrict deserialization. We recommend upgrading to version 2.0 and beyond. Publish Date: 2022-12-01 URL: CVE-2022-1471 ### CVSS 3 Score Details (8.3) Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: Low - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: Low For more information on CVSS3 Scores, click here. ### Suggested Fix Type: Upgrade version Origin: https://bitbucket.org/snakeyaml/snakeyaml/issues/561/cve-2022-1471-vulnerability-in#comment-64634374 Release Date: 2022-12-01 Fix Resolution (org.yaml:snakeyaml): 2.0 Direct dependency fix Resolution (org.apache.calcite:calcite-core): 1.35.0 :rescue_worker_helmet: Automatic Remediation will be attempted for this issue. CVE-2023-26464 ### Vulnerable Library - log4j-1.2.17.jar Apache Log4j 1.2 Library home page: http://logging.apache.org/log4j/1.2/ Path to dependency file: /calcite-tutorial-3-schema/pom.xml Path to vulnerable library: /home/wss-scanner/.m2/repository/log4j/log4j/1.2.17/log4j-1.2.17.jar Dependency Hierarchy: - calcite-core-1.26.0.jar (Root Library) - uzaygezen-core-0.2.jar - :x: **log4j-1.2.17.jar** (Vulnerable Library) Found in base branch: master ### Reachability Analysis The vulnerable code is unreachable ### Vulnerability Details ** UNSUPPORTED WHEN ASSIGNED ** When using the Chainsaw or SocketAppender components with Log4j 1.x on JRE less than 1.7, an attacker that manages to cause a logging entry involving a specially-crafted (ie, deeply nested) hashmap or hashtable (depending on which logging component is in use) to be processed could exhaust the available memory in the virtual machine and achieve Denial of Service when the object is deserialized. This issue affects Apache Log4j before 2. Affected users are recommended to update to Log4j 2.x. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. Publish Date: 2023-03-10 URL: CVE-2023-26464 ### CVSS 3 Score Details (7.5) Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High For more information on CVSS3 Scores, click here. ### Suggested Fix Type: Upgrade version Origin: https://github.com/advisories/GHSA-vp98-w2p3-mv35 Release Date: 2023-03-10 Fix Resolution: org.apache.logging.log4j:log4j-core:2.0 CVE-2022-25857 ### Vulnerable Library - snakeyaml-1.24.jar YAML 1.1 parser and emitter for Java Library home page: http://www.snakeyaml.org Path to dependency file: /calcite-tutorial-3-schema/pom.xml Path to vulnerable library: /home/wss-scanner/.m2/repository/org/yaml/snakeyaml/1.24/snakeyaml-1.24.jar Dependency Hierarchy: - calcite-core-1.26.0.jar (Root Library) - jackson-dataformat-yaml-2.10.0.jar - :x: **snakeyaml-1.24.jar** (Vulnerable Library) Found in base branch: master ### Reachability Analysis The vulnerable code is unreachable ### Vulnerability Details The package org.yaml:snakeyaml from 0 and before 1.31 are vulnerable to Denial of Service (DoS) due missing to nested depth limitation for collections. Publish Date: 2022-08-30 URL: CVE-2022-25857 ### CVSS 3 Score Details (7.5) Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High For more information on CVSS3 Scores, click here. ### Suggested Fix Type: Upgrade version Origin: test Release Date: 2022-08-30 Fix Resolution (org.yaml:snakeyaml): 1.31 Direct dependency fix Resolution (org.apache.calcite:calcite-core): 1.33.0 :rescue_worker_helmet: Automatic Remediation will be attempted for this issue. CVE-2021-29425 ### Vulnerable Library - commons-io-2.4.jar The Commons IO library contains utility classes, stream implementations, file filters, file comparators, endian transformation classes, and much more. Library home page: http://commons.apache.org/io/ Path to dependency file: /calcite-tutorial-2-parser/parser-4-calcite-custom-tutorial/pom.xml Path to vulnerable library: /home/wss-scanner/.m2/repository/commons-io/commons-io/2.4/commons-io-2.4.jar Dependency Hierarchy: - calcite-core-1.26.0.jar (Root Library) - :x: **commons-io-2.4.jar** (Vulnerable Library) Found in base branch: master ### Reachability Analysis The vulnerable code is unreachable ### Vulnerability Details In Apache Commons IO before 2.7, When invoking the method FileNameUtils.normalize with an improper input string, like "//../foo", or "\\..\foo", the result would be the same value, thus possibly providing access to files in the parent directory, but not further above (thus "limited" path traversal), if the calling code would use the result to construct a path value. Publish Date: 2021-04-13 URL: CVE-2021-29425 ### CVSS 3 Score Details (4.7) Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: Low - Availability Impact: None For more information on CVSS3 Scores, click here. ### Suggested Fix Type: Upgrade version Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29425 Release Date: 2021-04-13 Fix Resolution (commons-io:commons-io): 2.7 Direct dependency fix Resolution (org.apache.calcite:calcite-core): 1.30.0 :rescue_worker_helmet: Automatic Remediation will be attempted for this issue. CVE-2020-9488 ### Vulnerable Library - log4j-1.2.17.jar Apache Log4j 1.2 Library home page: http://logging.apache.org/log4j/1.2/ Path to dependency file: /calcite-tutorial-3-schema/pom.xml Path to vulnerable library: /home/wss-scanner/.m2/repository/log4j/log4j/1.2.17/log4j-1.2.17.jar Dependency Hierarchy: - calcite-core-1.26.0.jar (Root Library) - uzaygezen-core-0.2.jar - :x: **log4j-1.2.17.jar** (Vulnerable Library) Found in base branch: master ### Reachability Analysis The vulnerable code is unreachable ### Vulnerability Details Improper validation of certificate with host mismatch in Apache Log4j SMTP appender. This could allow an SMTPS connection to be intercepted by a man-in-the-middle attack which could leak any log messages sent through that appender. Fixed in Apache Log4j 2.12.3 and 2.13.1 Publish Date: 2020-04-27 URL: CVE-2020-9488 ### CVSS 3 Score Details (3.7) Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: None - Availability Impact: None For more information on CVSS3 Scores, click here. ### Suggested Fix Type: Upgrade version Origin: https://reload4j.qos.ch/ Release Date: 2020-04-27 Fix Resolution: ch.qos.reload4j:reload4j:1.2.18.3 CVE-2017-18640 ### Vulnerable Library - snakeyaml-1.24.jar YAML 1.1 parser and emitter for Java Library home page: http://www.snakeyaml.org Path to dependency file: /calcite-tutorial-3-schema/pom.xml Path to vulnerable library: /home/wss-scanner/.m2/repository/org/yaml/snakeyaml/1.24/snakeyaml-1.24.jar Dependency Hierarchy: - calcite-core-1.26.0.jar (Root Library) - jackson-dataformat-yaml-2.10.0.jar - :x: **snakeyaml-1.24.jar** (Vulnerable Library) Found in base branch: master ### Vulnerability Details The Alias feature in SnakeYAML before 1.26 allows entity expansion during a load operation, a related issue to CVE-2003-1564. Publish Date: 2019-12-12 URL: CVE-2017-18640 ### CVSS 3 Score Details (7.5) Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High For more information on CVSS3 Scores, click here. ### Suggested Fix Type: Upgrade version Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18640 Release Date: 2019-12-12 Fix Resolution (org.yaml:snakeyaml): 1.26 Direct dependency fix Resolution (org.apache.calcite:calcite-core): 1.31.0 :rescue_worker_helmet: Automatic Remediation will be attempted for this issue. *** :rescue_worker_helmet:Automatic Remediation will be attempted for this issue.