N/A

HttpUtils#getURLConnection method disables explicitly hostname verification for HTTPS connections making clients vulnerable to man-in-the-middle attacks. Calcite uses internally this method to connect with Druid and Splunk so information leakage may happen when using the respective Calcite adapters. The method itself is in a utility class so people may use it to create vulnerable HTTPS connections for other applications. From Apache Calcite 1.26 onwards, the hostname verification will be performed using the default JVM truststore.

N/A

N/A

Apache Calcite 访问控制错误漏洞

Apache Calcite是美国阿帕奇（Apache）基金会的一个开源框架，用于构建数据库和数据管理系统。 Apache Calcite 存在访问控制错误漏洞，该漏洞源于网络系统或产品未正确限制来自未授权角色的资源访问。该漏洞允许攻击者进行中间人攻击。

N/A

N/A