Critical severityNVD Advisory· Published Sep 11, 2022· Updated Aug 3, 2024

Apache Calcite: potential XEE attacks

CVE-2022-39135

Description

Apache Calcite 1.22.0 introduced the SQL operators EXISTS_NODE, EXTRACT_XML, XML_TRANSFORM and EXTRACT_VALUE do not restrict XML External Entity references in their configuration, making them vulnerable to a potential XML External Entity (XXE) attack. Therefore any client exposing these operators, typically by using Oracle dialect (the first three) or MySQL dialect (the last one), is affected by this vulnerability (the extent of it will depend on the user under which the application is running). From Apache Calcite 1.32.0 onwards, Document Type Declarations and XML External Entity resolution are disabled on the impacted operators.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Apache Calcite SQL operators in versions 1.22.0 to 1.31.0 are vulnerable to XXE attacks via Oracle/MySQL dialect XML functions, fixed in 1.32.0.

Vulnerability

Description

Apache Calcite versions 1.22.0 through 1.31.0 introduced SQL operators EXISTS_NODE, EXTRACT_XML, XML_TRANSFORM, and EXTRACT_VALUE that do not restrict XML External Entity (XXE) references in their configuration. This makes them vulnerable to XXE attacks when exposed to untrusted input [1]. The vulnerability affects any client that exposes these operators, typically by using the Oracle dialect (for the first three operators) or the MySQL dialect (for EXTRACT_VALUE) [1].

Exploitation

An attacker who can supply SQL queries to an application that uses the affected Apache Calcite operators can trigger an XXE attack. In deployments such as Apache Solr, the /sql handler in SolrCloud mode (versions 6.5 to 8.11.2 and 9.0) can be used to send malicious SQL queries that exploit this vulnerability, though such handlers are typically only exposed to internal analysts via JDBC tooling [2]. Successful exploitation requires the attacker to be able to submit crafted SQL statements containing malicious XML content [1].

Impact

An XXE attack can lead to disclosure of confidential data (e.g., local files), denial of service, server-side request forgery (SSRF), and port scanning from the affected server [1][2]. The actual impact depends on the privileges of the user under which the application runs [1].

Mitigation

The vulnerability is fixed in Apache Calcite version 1.32.0, which disables Document Type Declarations (DTDs) and XML External Entity resolution on the impacted operators [1]. Users of Apache Solr affected by this issue (versions 6.5 to 8.11.2 and 9.0) should upgrade to a patched Solr release that incorporates the fixed Calcite version [2]. No workarounds are documented; upgrading is the recommended action.

References

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
org.apache.calcite:calcite-coreMaven	< 1.32.0	1.32.0

Affected products

136

osv-coords135 versions
pkg:apk/chainguard/trino pkg:apk/chainguard/trino-config pkg:apk/chainguard/trino-oci-entrypoint pkg:apk/chainguard/trino-plugin-accumulo pkg:apk/chainguard/trino-plugin-ai-functions pkg:apk/chainguard/trino-plugin-atop pkg:apk/chainguard/trino-plugin-bigquery pkg:apk/chainguard/trino-plugin-blackhole pkg:apk/chainguard/trino-plugin-cassandra pkg:apk/chainguard/trino-plugin-clickhouse pkg:apk/chainguard/trino-plugin-delta-lake pkg:apk/chainguard/trino-plugin-druid pkg:apk/chainguard/trino-plugin-duckdb pkg:apk/chainguard/trino-plugin-elasticsearch pkg:apk/chainguard/trino-plugin-example-http pkg:apk/chainguard/trino-plugin-exasol pkg:apk/chainguard/trino-plugin-exchange-filesystem pkg:apk/chainguard/trino-plugin-exchange-hdfs pkg:apk/chainguard/trino-plugin-faker pkg:apk/chainguard/trino-plugin-functions-python pkg:apk/chainguard/trino-plugin-geospatial pkg:apk/chainguard/trino-plugin-google-sheets pkg:apk/chainguard/trino-plugin-hive pkg:apk/chainguard/trino-plugin-http-event-listener pkg:apk/chainguard/trino-plugin-http-server-event-listener pkg:apk/chainguard/trino-plugin-hudi pkg:apk/chainguard/trino-plugin-iceberg pkg:apk/chainguard/trino-plugin-ignite pkg:apk/chainguard/trino-plugin-jmx pkg:apk/chainguard/trino-plugin-kafka pkg:apk/chainguard/trino-plugin-kafka-event-listener pkg:apk/chainguard/trino-plugin-kinesis pkg:apk/chainguard/trino-plugin-kudu pkg:apk/chainguard/trino-plugin-lakehouse pkg:apk/chainguard/trino-plugin-ldap-group-provider pkg:apk/chainguard/trino-plugin-local-file pkg:apk/chainguard/trino-plugin-loki pkg:apk/chainguard/trino-plugin-mariadb pkg:apk/chainguard/trino-plugin-memory pkg:apk/chainguard/trino-plugin-ml pkg:apk/chainguard/trino-plugin-mongodb pkg:apk/chainguard/trino-plugin-mysql pkg:apk/chainguard/trino-plugin-mysql-event-listener pkg:apk/chainguard/trino-plugin-opa pkg:apk/chainguard/trino-plugin-openlineage pkg:apk/chainguard/trino-plugin-opensearch pkg:apk/chainguard/trino-plugin-oracle pkg:apk/chainguard/trino-plugin-password-authenticators pkg:apk/chainguard/trino-plugin-phoenix5 pkg:apk/chainguard/trino-plugin-pinot pkg:apk/chainguard/trino-plugin-postgresql pkg:apk/chainguard/trino-plugin-prometheus pkg:apk/chainguard/trino-plugin-ranger pkg:apk/chainguard/trino-plugin-raptor-legacy pkg:apk/chainguard/trino-plugin-redis pkg:apk/chainguard/trino-plugin-redshift pkg:apk/chainguard/trino-plugin-resource-group-managers pkg:apk/chainguard/trino-plugin-session-property-managers pkg:apk/chainguard/trino-plugin-singlestore pkg:apk/chainguard/trino-plugin-snowflake pkg:apk/chainguard/trino-plugin-spooling-filesystem pkg:apk/chainguard/trino-plugin-sqlserver pkg:apk/chainguard/trino-plugin-teradata-functions pkg:apk/chainguard/trino-plugin-thrift pkg:apk/chainguard/trino-plugin-tpcds pkg:apk/chainguard/trino-plugin-tpch pkg:apk/chainguard/trino-plugin-vertica pkg:apk/wolfi/trino pkg:apk/wolfi/trino-config pkg:apk/wolfi/trino-oci-entrypoint pkg:apk/wolfi/trino-plugin-accumulo pkg:apk/wolfi/trino-plugin-ai-functions pkg:apk/wolfi/trino-plugin-atop pkg:apk/wolfi/trino-plugin-bigquery pkg:apk/wolfi/trino-plugin-blackhole pkg:apk/wolfi/trino-plugin-cassandra pkg:apk/wolfi/trino-plugin-clickhouse pkg:apk/wolfi/trino-plugin-delta-lake pkg:apk/wolfi/trino-plugin-druid pkg:apk/wolfi/trino-plugin-duckdb pkg:apk/wolfi/trino-plugin-elasticsearch pkg:apk/wolfi/trino-plugin-example-http pkg:apk/wolfi/trino-plugin-exasol pkg:apk/wolfi/trino-plugin-exchange-filesystem pkg:apk/wolfi/trino-plugin-exchange-hdfs pkg:apk/wolfi/trino-plugin-faker pkg:apk/wolfi/trino-plugin-functions-python pkg:apk/wolfi/trino-plugin-geospatial pkg:apk/wolfi/trino-plugin-google-sheets pkg:apk/wolfi/trino-plugin-hive pkg:apk/wolfi/trino-plugin-http-event-listener pkg:apk/wolfi/trino-plugin-http-server-event-listener pkg:apk/wolfi/trino-plugin-hudi pkg:apk/wolfi/trino-plugin-iceberg pkg:apk/wolfi/trino-plugin-ignite pkg:apk/wolfi/trino-plugin-jmx pkg:apk/wolfi/trino-plugin-kafka pkg:apk/wolfi/trino-plugin-kafka-event-listener pkg:apk/wolfi/trino-plugin-kinesis pkg:apk/wolfi/trino-plugin-kudu pkg:apk/wolfi/trino-plugin-lakehouse pkg:apk/wolfi/trino-plugin-ldap-group-provider pkg:apk/wolfi/trino-plugin-local-file pkg:apk/wolfi/trino-plugin-loki pkg:apk/wolfi/trino-plugin-mariadb pkg:apk/wolfi/trino-plugin-memory pkg:apk/wolfi/trino-plugin-ml pkg:apk/wolfi/trino-plugin-mongodb pkg:apk/wolfi/trino-plugin-mysql pkg:apk/wolfi/trino-plugin-mysql-event-listener pkg:apk/wolfi/trino-plugin-opa pkg:apk/wolfi/trino-plugin-openlineage pkg:apk/wolfi/trino-plugin-opensearch pkg:apk/wolfi/trino-plugin-oracle pkg:apk/wolfi/trino-plugin-password-authenticators pkg:apk/wolfi/trino-plugin-phoenix5 pkg:apk/wolfi/trino-plugin-pinot pkg:apk/wolfi/trino-plugin-postgresql pkg:apk/wolfi/trino-plugin-prometheus pkg:apk/wolfi/trino-plugin-ranger pkg:apk/wolfi/trino-plugin-raptor-legacy pkg:apk/wolfi/trino-plugin-redis pkg:apk/wolfi/trino-plugin-redshift pkg:apk/wolfi/trino-plugin-resource-group-managers pkg:apk/wolfi/trino-plugin-session-property-managers pkg:apk/wolfi/trino-plugin-singlestore pkg:apk/wolfi/trino-plugin-snowflake pkg:apk/wolfi/trino-plugin-spooling-filesystem pkg:apk/wolfi/trino-plugin-sqlserver pkg:apk/wolfi/trino-plugin-teradata-functions pkg:apk/wolfi/trino-plugin-thrift pkg:apk/wolfi/trino-plugin-tpcds pkg:apk/wolfi/trino-plugin-tpch pkg:apk/wolfi/trino-plugin-vertica pkg:maven/org.apache.calcite/calcite-core
< 453-r2+ 134 more
- (no CPE)range: < 453-r2
- (no CPE)range: < 453-r2
- (no CPE)range: < 453-r2
- (no CPE)range: < 453-r2
- (no CPE)range: < 453-r2
- (no CPE)range: < 453-r2
- (no CPE)range: < 453-r2
- (no CPE)range: < 453-r2
- (no CPE)range: < 453-r2
- (no CPE)range: < 453-r2
- (no CPE)range: < 453-r2
- (no CPE)range: < 453-r2
- (no CPE)range: < 453-r2
- (no CPE)range: < 453-r2
- (no CPE)range: < 453-r2
- (no CPE)range: < 453-r2
- (no CPE)range: < 453-r2
- (no CPE)range: < 453-r2
- (no CPE)range: < 453-r2
- (no CPE)range: < 453-r2
- (no CPE)range: < 453-r2
- (no CPE)range: < 453-r2
- (no CPE)range: < 453-r2
- (no CPE)range: < 453-r2
- (no CPE)range: < 453-r2
- (no CPE)range: < 453-r2
- (no CPE)range: < 453-r2
- (no CPE)range: < 453-r2
- (no CPE)range: < 453-r2
- (no CPE)range: < 453-r2
- (no CPE)range: < 453-r2
- (no CPE)range: < 453-r2
- (no CPE)range: < 453-r2
- (no CPE)range: < 453-r2
- (no CPE)range: < 453-r2
- (no CPE)range: < 453-r2
- (no CPE)range: < 453-r2
- (no CPE)range: < 453-r2
- (no CPE)range: < 453-r2
- (no CPE)range: < 453-r2
- (no CPE)range: < 453-r2
- (no CPE)range: < 453-r2
- (no CPE)range: < 453-r2
- (no CPE)range: < 453-r2
- (no CPE)range: < 453-r2
- (no CPE)range: < 453-r2
- (no CPE)range: < 453-r2
- (no CPE)range: < 453-r2
- (no CPE)range: < 453-r2
- (no CPE)range: < 453-r2
- (no CPE)range: < 453-r2
- (no CPE)range: < 453-r2
- (no CPE)range: < 453-r2
- (no CPE)range: < 453-r2
- (no CPE)range: < 453-r2
- (no CPE)range: < 453-r2
- (no CPE)range: < 453-r2
- (no CPE)range: < 453-r2
- (no CPE)range: < 453-r2
- (no CPE)range: < 453-r2
- (no CPE)range: < 453-r2
- (no CPE)range: < 453-r2
- (no CPE)range: < 453-r2
- (no CPE)range: < 453-r2
- (no CPE)range: < 453-r2
- (no CPE)range: < 453-r2
- (no CPE)range: < 453-r2
- (no CPE)range: < 453-r2
- (no CPE)range: < 453-r2
- (no CPE)range: < 453-r2
- (no CPE)range: < 453-r2
- (no CPE)range: < 453-r2
- (no CPE)range: < 453-r2
- (no CPE)range: < 453-r2
- (no CPE)range: < 453-r2
- (no CPE)range: < 453-r2
- (no CPE)range: < 453-r2
- (no CPE)range: < 453-r2
- (no CPE)range: < 453-r2
- (no CPE)range: < 453-r2
- (no CPE)range: < 453-r2
- (no CPE)range: < 453-r2
- (no CPE)range: < 453-r2
- (no CPE)range: < 453-r2
- (no CPE)range: < 453-r2
- (no CPE)range: < 453-r2
- (no CPE)range: < 453-r2
- (no CPE)range: < 453-r2
- (no CPE)range: < 453-r2
- (no CPE)range: < 453-r2
- (no CPE)range: < 453-r2
- (no CPE)range: < 453-r2
- (no CPE)range: < 453-r2
- (no CPE)range: < 453-r2
- (no CPE)range: < 453-r2
- (no CPE)range: < 453-r2
- (no CPE)range: < 453-r2
- (no CPE)range: < 453-r2
- (no CPE)range: < 453-r2
- (no CPE)range: < 453-r2
- (no CPE)range: < 453-r2
- (no CPE)range: < 453-r2
- (no CPE)range: < 453-r2
- (no CPE)range: < 453-r2
- (no CPE)range: < 453-r2
- (no CPE)range: < 453-r2
- (no CPE)range: < 453-r2
- (no CPE)range: < 453-r2
- (no CPE)range: < 453-r2
- (no CPE)range: < 453-r2
- (no CPE)range: < 453-r2
- (no CPE)range: < 453-r2
- (no CPE)range: < 453-r2
- (no CPE)range: < 453-r2
- (no CPE)range: < 453-r2
- (no CPE)range: < 453-r2
- (no CPE)range: < 453-r2
- (no CPE)range: < 453-r2
- (no CPE)range: < 453-r2
- (no CPE)range: < 453-r2
- (no CPE)range: < 453-r2
- (no CPE)range: < 453-r2
- (no CPE)range: < 453-r2
- (no CPE)range: < 453-r2
- (no CPE)range: < 453-r2
- (no CPE)range: < 453-r2
- (no CPE)range: < 453-r2
- (no CPE)range: < 453-r2
- (no CPE)range: < 453-r2
- (no CPE)range: < 453-r2
- (no CPE)range: < 453-r2
- (no CPE)range: < 453-r2
- (no CPE)range: < 453-r2
- (no CPE)range: < 453-r2
- (no CPE)range: < 1.32.0
Apache Software Foundation/Apache Calcitev5
Range: 1.22.0

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/advisories/GHSA-fj2m-w3wv-x9prghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2022-39135ghsaADVISORY
www.openwall.com/lists/oss-security/2022/11/21/3ghsamailing-listWEB
lists.apache.org/thread/ohdnhlgm6jvt3srw8l7spkm2d5vwm082ghsaWEB

News mentions

No linked articles in our index yet.

cvss	0.585
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000