[
https://issues.apache.org/jira/browse/HIVE-27410?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17731472#comment-17731472
]
Yeachan Park commented on HIVE-27410:
-------------------------------------
Has this been resolved? I still see calcite-core is still 1.25 in master. It
seems like both issues have been marked are duplicates and not actually resolved
> Calcite upgrade to 1.32.0 to fix CVE-2022-39135
> -----------------------------------------------
>
> Key: HIVE-27410
> URL: https://issues.apache.org/jira/browse/HIVE-27410
> Project: Hive
> Issue Type: Task
> Reporter: Diksha
> Priority: Major
>
> In Apache Calcite prior to version 1.32.0 the SQL operators EXISTS_NODE,
> EXTRACT_XML, XML_TRANSFORM and EXTRACT_VALUE do not restrict XML External
> Entity references in their configuration, which makes them vulnerable to a
> potential XML External Entity (XXE) attack. Therefore any client exposing
> these operators, typically by using Oracle dialect (the first three) or MySQL
> dialect (the last one), is affected by this vulnerability (the extent of it
> will depend on the user under which the application is running). From Apache
> Calcite 1.32.0 onwards, Document Type Declarations and XML External Entity
> resolution are disabled on the impacted operators.
>
> It is recommended to upgrade to version 1.32.0 to fix CVE-2022-39135.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
