Skip to content

[GHSA-fj2m-w3wv-x9pr] Apache Calcite before 1.32.0 vulnerable to potential XML External Entity (XXE) attack#8687

Open
levpachmanov wants to merge 1 commit into
levpachmanov/advisory-improvement-8687from
levpachmanov-GHSA-fj2m-w3wv-x9pr
Open

[GHSA-fj2m-w3wv-x9pr] Apache Calcite before 1.32.0 vulnerable to potential XML External Entity (XXE) attack#8687
levpachmanov wants to merge 1 commit into
levpachmanov/advisory-improvement-8687from
levpachmanov-GHSA-fj2m-w3wv-x9pr

Conversation

@levpachmanov

Copy link
Copy Markdown

Updates

  • Affected products

Comments

Summary

CVE-2022-39135 is an XML External Entity (XXE) vulnerability in Apache Calcite. A crafted SQL query can read local files (and reach internal network resources) through four SQL operators that parse XML without disabling Document Type Declarations / external entity resolution:

  • EXISTS_NODE
  • EXTRACT_XML
  • XML_TRANSFORM
  • EXTRACT_VALUE

All four are implemented in the class org.apache.calcite.runtime.XmlFunctions. The fix (1.32.0) hardens that class to use a secure DocumentBuilderFactory / TransformerFactory with DTDs and external entities disabled.

Why 1.19.0 is not affected

The vulnerable code did not exist when 1.19.0 was released. The class XmlFunctions.java — which contains all four affected operators — was added to Calcite's main branch ~9 months after 1.19.0 shipped, and first appeared in a release in 1.22.0.

Event Date Reference
calcite-1.19.0 released 2019-03-20 tag calcite-1.19.0
XmlFunctions.java introduced 2019-12-11 commit 1ddc1c3a0c61 — [CALCITE-3552] MySQL ExtractValue

The vulnerable class was created ~9 months after 1.19.0 was released, so 1.19.0 has no XML-parsing attack surface. This is consistent with NVD's affected range of 1.22.0 → 1.31.x (1.22.0 being the first release that shipped the class). 1.19.0 is therefore not applicable.

Source code references

Fixing commit

Vulnerability databases

Database Stated affected range Covers 1.19.0?
NVD 1.22.01.31.x (i.e. [1.22.0, 1.32.0)) No ✅
Snyk [1.22.0, 1.32.0) No ✅
GitHub Advisory (GHSA-fj2m-w3wv-x9pr) < 1.32.0 (no lower bound) Yes — but this is overly broad ⚠️
MITRE Mirrors NVD No ✅

@github-actions github-actions Bot changed the base branch from main to levpachmanov/advisory-improvement-8687 July 12, 2026 15:20
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant