SCA: security update for org.apache.calcite.avatica:avatica-core (GHSA-w7f5-jrpr-5c2m)

high Tenable Cloud Security Plugin ID 419783

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- Apache Calcite Avatica JDBC driver creates HTTP client instances based on class names provided via
`httpclient_impl` connection property; however, the driver does not verify if the class implements the
expected interface before instantiating it, which can lead to code execution loaded via arbitrary classes
and in rare cases remote code execution. To exploit the vulnerability: 1) the attacker needs to have
privileges to control JDBC connection parameters; 2) and there should be a vulnerable class (constructor
with URL parameter and ability to execute code) in the classpath. From Apache Calcite Avatica 1.22.0
onwards, it will be verified that the class implements the expected interface before invoking its
constructor. (CVE-2022-36364)

See Also

https://github.com/advisories/GHSA-w7f5-jrpr-5c2m

Plugin Details

Severity: High

ID: 419783

Version: Revision 1.6

Type: Local

Family: SCA Checks

Published: 1/23/2025

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 4.9

Percentile: 57.82

Vendor

Vendor Severity: High

CVSS v2

Risk Factor: High

Base Score: 9

Temporal Score: 6.7

Vector: CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C

CVSS Score Source: CVE-2022-36364

CVSS v3

Risk Factor: High

Base Score: 8.8

Temporal Score: 7.7

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 7/29/2022

Vulnerability Publication Date: 7/28/2022

Reference Information

CVE: CVE-2022-36364

cwe: CWE-665