CVE-2022-39135
XML External Entity (XXE) Injection vulnerability in calcite-core (Maven)
What is CVE-2022-39135 About?
Apache Calcite versions prior to 1.32.0 are vulnerable to XML External Entity (XXE) attacks due to unrestricted XML External Entity references in certain SQL operators. This can lead to information disclosure or server-side request forgery, affecting clients using Oracle or MySQL dialects. Exploitation is possible if these specific operators are exposed.
Affected Software
Technical Details
The XML External Entity (XXE) vulnerability in Apache Calcite versions before 1.32.0 arises from the failure of SQL operators like EXISTS_NODE, EXTRACT_XML, XML_TRANSFORM (Oracle dialect), and EXTRACT_VALUE (MySQL dialect) to restrict XML External Entity references in their configuration. When these operators process XML input, they can parse and resolve external entities defined within the XML document. An attacker can craft malicious XML input that includes references to external entities, such as local files or remote resources (e.g., <!DOCTYPE foo [<!ENTITY xxe SYSTEM "file:///etc/passwd">]>). If the client application exposes these operators, the parser will attempt to resolve these entities, potentially leading to unauthorized disclosure of local files, server-side request forgery (SSRF), or other system compromise depending on the privileges of the underlying user running the application.
What is the Impact of CVE-2022-39135?
Successful exploitation may allow attackers to disclose sensitive local files, perform server-side request forgery (SSRF), compromise backend systems, and potentially execute arbitrary code depending on system configuration.
What is the Exploitability of CVE-2022-39135?
Exploitation of this XXE vulnerability typically requires the ability to submit SQL queries that utilize the vulnerable operators (EXISTS_NODE, EXTRACT_XML, XML_TRANSFORM, EXTRACT_VALUE with Oracle or MySQL dialects). The complexity is moderate, as it involves crafting specific XML payloads within SQL queries. Authentication to the database or the application exposing these operators is usually a prerequisite. This is typically a remote attack if the database or application interface is network accessible. No special privileges beyond the ability to execute SQL queries with these functions are required. The risk factors are significantly increased if the application widely exposes these specific SQL operators, especially with user-controlled input, and if the database or application runs with elevated privileges that could allow access to sensitive system files.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2022-39135?
Available Upgrade Options
- org.apache.calcite:calcite-core
- <1.32.0 → Upgrade to 1.32.0
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://nvd.nist.gov/vuln/detail/CVE-2022-39135
- http://www.openwall.com/lists/oss-security/2022/11/21/3
- https://osv.dev/vulnerability/GHSA-fj2m-w3wv-x9pr
- https://lists.apache.org/thread/ohdnhlgm6jvt3srw8l7spkm2d5vwm082
- http://www.openwall.com/lists/oss-security/2022/11/21/3
- https://lists.apache.org/thread/ohdnhlgm6jvt3srw8l7spkm2d5vwm082
What are Similar Vulnerabilities to CVE-2022-39135?
Similar Vulnerabilities: CVE-2023-45585 , CVE-2023-28634 , CVE-2023-49089 , CVE-2023-46233 , CVE-2023-46232
