{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-05-11T06:19:27.012","vulnerabilities":[{"cve":{"id":"CVE-2020-13955","sourceIdentifier":"security@apache.org","published":"2020-10-09T13:15:11.083","lastModified":"2024-11-21T05:02:13.820","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"HttpUtils#getURLConnection method disables explicitly hostname verification for HTTPS connections making clients vulnerable to man-in-the-middle attacks. Calcite uses internally this method to connect with Druid and Splunk so information leakage may happen when using the respective Calcite adapters. The method itself is in a utility class so people may use it to create vulnerable HTTPS connections for other applications. From Apache Calcite 1.26 onwards, the hostname verification will be performed using the default JVM truststore."},{"lang":"es","value":"El método HttpUtils#getURLConnection deshabilita explícitamente una verificación del nombre de host para las conexiones HTTPS, haciendo a clientes vulnerables a unos ataques de tipo man-in-the-middle. Calcite usa internamente este método para conectarse con Druid y Splunk, por lo que puede ocurrir un filtrado de información al usar los adaptadores de Calcite respectivos. El método en sí está en una clase de utilidad, por lo que las personas pueden usarlo para crear conexiones HTTPS vulnerables para otras aplicaciones. Desde Apache Calcite versión 1.26 en adelante, la verificación del nombre de host se llevará a cabo usando el almacén de confianza JVM predeterminado"}],"metrics":{"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N","baseScore":5.9,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"HIGH","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"NONE","availabilityImpact":"NONE"},"exploitabilityScore":2.2,"impactScore":3.6}],"cvssMetricV2":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"2.0","vectorString":"AV:N/AC:M/Au:N/C:P/I:N/A:N","baseScore":4.3,"accessVector":"NETWORK","accessComplexity":"MEDIUM","authentication":"NONE","confidentialityImpact":"PARTIAL","integrityImpact":"NONE","availabilityImpact":"NONE"},"baseSeverity":"MEDIUM","exploitabilityScore":8.6,"impactScore":2.9,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":false}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"CWE-295"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:apache:calcite:*:*:*:*:*:*:*:*","versionEndExcluding":"1.26","matchCriteriaId":"D3CC3540-ED58-4099-88C5-B28C2272A6DD"}]}]}],"references":[{"url":"https://lists.apache.org/thread.html/r0b0fbe2038388175951ce1028182d980f9e9a7328be13d52dab70bb3%40%3Cdev.calcite.apache.org%3E","source":"security@apache.org","tags":["Mailing List","Third Party Advisory"]},{"url":"https://lists.apache.org/thread.html/r0b0fbe2038388175951ce1028182d980f9e9a7328be13d52dab70bb3%40%3Cdev.calcite.apache.org%3E","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Mailing List","Third Party Advisory"]}]}}]}