CVE-2022-36364

Name of the Vulnerable Software and Affected Versions Apache Calcite Avatica JDBC driver versions prior to 1.22.0

Description The issue is related to the creation of HTTP client instances based on class names provided via the httpclient impl connection property. The driver does not verify if the class implements the expected interface before instantiating it, which can lead to code execution loaded via arbitrary classes and in rare cases remote code execution. To exploit this, an attacker needs to have privileges to control JDBC connection parameters and there should be a vulnerable class in the classpath.

Recommendations For versions prior to 1.22.0, update to Apache Calcite Avatica 1.22.0 or later, where the class is verified to implement the expected interface before invoking its constructor. As a temporary workaround, consider restricting access to the httpclient impl connection property to minimize the risk of exploitation.