CVE-2020-13955
Description
HttpUtils#getURLConnection method disables explicitly hostname verification for HTTPS connections making clients vulnerable to man-in-the-middle attacks. Calcite uses internally this method to connect with Druid and Splunk so information leakage may happen when using the respective Calcite adapters. The method itself is in a utility class so people may use it to create vulnerable HTTPS connections for other applications. From Apache Calcite 1.26 onwards, the hostname verification will be performed using the default JVM truststore.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Apache Calcite's HttpUtils#getURLConnection disables HTTPS hostname verification, enabling man-in-the-middle attacks; fixed in 1.26.
Vulnerability
Description
The HttpUtils#getURLConnection method in Apache Calcite explicitly disables hostname verification for HTTPS connections. It sets a hostname verifier that always returns true and uses a trust-all SSL socket factory, effectively bypassing certificate validation [1][2]. This design flaw makes any HTTPS connection created through this method vulnerable to man-in-the-middle (MITM) attacks.
Exploitation
Calcite uses this method internally to connect to Druid and Splunk via its adapters, and the method is also publicly available as a utility for other applications [1]. An attacker with network access can intercept HTTPS traffic, present a fake certificate, and because hostname verification is disabled, the client will accept the connection without validation. No additional authentication is required beyond network positioning.
Impact
Successful exploitation allows an attacker to perform MITM attacks, enabling eavesdropping, modification, or injection of data in communications between Calcite and Druid/Splunk. This can lead to information leakage and compromise of sensitive data transmitted over HTTPS [1].
Mitigation
The vulnerability is fixed in Apache Calcite version 1.26.0. The fix removes the custom hostname verifier and trust-all socket factory, relying instead on the default JVM truststore for hostname verification [2][3]. Users should upgrade to Calcite 1.26.0 or later to mitigate the risk.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.calcite:calcite-coreMaven | < 1.26.0 | 1.26.0 |
org.apache.calcite:calcite-druidMaven | < 1.26.0 | 1.26.0 |
org.apache.calcite:calcite-splunkMaven | < 1.26.0 | 1.26.0 |
Affected products
4- ghsa-coords3 versionspkg:maven/org.apache.calcite/calcite-corepkg:maven/org.apache.calcite/calcite-druidpkg:maven/org.apache.calcite/calcite-splunk
< 1.26.0+ 2 more
- (no CPE)range: < 1.26.0
- (no CPE)range: < 1.26.0
- (no CPE)range: < 1.26.0
Patches
143eeafcbac29[CALCITE-4298] Avoid disabling hostname verification on HTTPS connections
1 file changed · +1 −16
core/src/main/java/org/apache/calcite/runtime/HttpUtils.java+1 −16 modified@@ -23,11 +23,9 @@ import java.io.Writer; import java.net.HttpURLConnection; import java.net.URL; -import java.net.URLConnection; import java.net.URLEncoder; import java.nio.charset.StandardCharsets; import java.util.Map; -import javax.net.ssl.HttpsURLConnection; /** * Utilities for connecting to REST services such as Splunk via HTTP. @@ -37,20 +35,7 @@ private HttpUtils() {} public static HttpURLConnection getURLConnection(String url) throws IOException { - URLConnection conn = new URL(url).openConnection(); - final HttpURLConnection httpConn = (HttpURLConnection) conn; - - // take care of https stuff - most of the time it's only needed to - // secure client/server comm - // not to establish the identity of the server - if (httpConn instanceof HttpsURLConnection) { - HttpsURLConnection httpsConn = (HttpsURLConnection) httpConn; - httpsConn.setSSLSocketFactory( - TrustAllSslSocketFactory.createSSLSocketFactory()); - httpsConn.setHostnameVerifier((arg0, arg1) -> true); - } - - return httpConn; + return (HttpURLConnection) new URL(url).openConnection(); } public static void appendURLEncodedArgs(
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-hxp5-8pgq-mgv9ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2020-13955ghsaADVISORY
- github.com/apache/calcite/commit/43eeafcbac29d02c72bd520c003cdfc571de2d15ghsaWEB
- issues.apache.org/jira/browse/CALCITE-4298ghsaWEB
- lists.apache.org/thread.html/r0b0fbe2038388175951ce1028182d980f9e9a7328be13d52dab70bb3%40%3Cdev.calcite.apache.org%3Eghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.