CVE-2020-13955
Cryptographic Issue vulnerability in calcite-core (Maven)
What is CVE-2020-13955 About?
This vulnerability is a cryptographic issue in the `pbkdf2` library on Node.js versions older than 3.0.0, where it silently disregards `Uint8Array` input for password and salt. This leads to the generation of static, predictable hashes instead of cryptographically secure ones, severely undermining security. Exploitation is simple if the affected Node.js versions are in use and `Uint8Array` is supplied as input.
Affected Software
- org.apache.calcite:calcite-core
- <1.26.0
- org.apache.calcite:calcite-druid
- <1.26.0
- org.apache.calcite:calcite-splunk
- <1.26.0
Technical Details
The pbkdf2 library, specifically in Node.js versions 0.12 through 2.x, contains a flaw in its toBuffer method. When Uint8Array is provided as input for the password or salt parameters to pbkdf2Sync, the library fails to correctly process this input. Instead of using the supplied Uint8Array, it defaults to using empty data ('') for both the password and salt. This results in the pbkdf2 function consistently producing the same, static hash output, regardless of the actual Uint8Array input. The vulnerability effectively renders the key derivation function useless for its intended cryptographic purpose, as it outputs a predictable value rather than a secure, derived key.
What is the Impact of CVE-2020-13955?
Successful exploitation may allow attackers to undermine security by compromising static hashes used as keys or passwords, leading to unauthorized access, data compromise, or complete bypass of authentication mechanisms.
What is the Exploitability of CVE-2020-13955?
Exploitation of this vulnerability is straightforward provided the target system is operating on Node.js versions older than 3.0.0 and utilizes the pbkdf2 library with Uint8Array inputs. There are no complex prerequisites, authentication, or privilege requirements beyond the application using the affected library and Node.js version. This is a local vulnerability in the sense that the flawed pbkdf2 function must be called within the application. The primary constraint is the outdated Node.js runtime. The risk is high if an application on such a legacy system relies on pbkdf2 for security-sensitive operations like password hashing or key derivation, as it directly leads to predictable outputs for inputs that should be random or unique.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2020-13955?
Available Upgrade Options
- org.apache.calcite:calcite-druid
- <1.26.0 → Upgrade to 1.26.0
- org.apache.calcite:calcite-core
- <1.26.0 → Upgrade to 1.26.0
- org.apache.calcite:calcite-splunk
- <1.26.0 → Upgrade to 1.26.0
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://lists.apache.org/thread.html/r0b0fbe2038388175951ce1028182d980f9e9a7328be13d52dab70bb3%40%3Cdev.calcite.apache.org%3E
- https://nvd.nist.gov/vuln/detail/CVE-2020-13955
- https://github.com/apache/calcite/commit/43eeafcbac29d02c72bd520c003cdfc571de2d15
- https://issues.apache.org/jira/browse/CALCITE-4298
- https://lists.apache.org/thread.html/r0b0fbe2038388175951ce1028182d980f9e9a7328be13d52dab70bb3%40%3Cdev.calcite.apache.org%3E
- https://osv.dev/vulnerability/GHSA-hxp5-8pgq-mgv9
What are Similar Vulnerabilities to CVE-2020-13955?
Similar Vulnerabilities: CVE-2023-27461 , CVE-2023-25591 , CVE-2022-3179 , CVE-2022-3592 , CVE-2021-39148
