Affecting rg.apache.calcite:calcite-core artifact, versions [, 1.26)Report new vulnerabilities
rg.apache.calcite:calcite-core is a dynamic data management framework.
Affected versions of this package are vulnerable to Man-in-the-Middle (MitM). The
HttpUtils#getURLConnection method disables explicitly hostname verification for HTTPS connections making clients vulnerable to man-in-the-middle attacks. Calcite uses this method internally to connect with Druid and Splunk so information leakage may happen when using the respective Calcite adapters.
The method itself is in a utility class so people may use it to create vulnerable HTTPS connections for other applications.
rg.apache.calcite:calcite-core to version 1.26 or higher.