Missing Authentication for Critical Function
`HttpUtils#getURLConnection` method disables explicitly hostname verification for HTTPS connections making clients vulnerable to man-in-the-middle attacks. Calcite uses internally this method to connect with Druid and Splunk so information leakage may happen when using the respective Calcite adapters. The method itself is in a utility class so people may use it to create vulnerable HTTPS connections for other applications. From Apache Calcite onwards, the hostname verification will be performed using the default JVM truststore.
OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
description
Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2017.
1
cwe_id
306
name
Missing Authentication for Critical Function
description
The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.
2
cwe_id
937
name
OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
description
Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2013.
3
cwe_id
295
name
Improper Certificate Validation
description
The product does not validate, or incorrectly validates, a certificate.