{"url":"http://public2.vulnerablecode.io/api/packages/1053424?format=json","purl":"pkg:maven/org.apache.polaris/polaris-runtime-service@1.0.1-incubating","type":"maven","namespace":"org.apache.polaris","name":"polaris-runtime-service","version":"1.0.1-incubating","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"1.4.1","latest_non_vulnerable_version":"1.4.1","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/70613?format=json","vulnerability_id":"VCID-5ejt-96r8-u3gg","summary":"In Apache Iceberg, the table's metadata files are control files: they tell readers\nwhich data files belong to the table and which table version to read.\n\n\n\n`write.metadata.path` is an optional table property that tells Polaris\nwhere to\nwrite those metadata files. \nFor a table already registered in a\nPolaris-managed\ncatalog, changing only that property through an `ALTER TABLE`-style settings\nchange (not a row-level `INSERT`, `SELECT`, `UPDATE`, or `DELETE`) bypasses\nthe commit-time branch that is supposed to revalidate storage locations.\n\nThe full persisted / credential-vending variant requires the affected\ncatalog\nto have `polaris.config.allow.unstructured.table.location=true`, with\n`allowedLocations` broad enough to include the attacker-chosen target.\n\n\n`allowedLocations` is the admin-configured allowlist of storage paths that\nthe\ncatalog is allowed to use. Public project materials suggest that this flag\nis a\nreal supported compatibility / layout mode, not just a contrived lab-only\nprerequisite.\n\n\nIn that configuration, a user who can change table settings can cause Apache Polaris\nitself to write new table metadata to an attacker-chosen reachable storage\nlocation before the intended location-validation branch runs.\n\nIf the later concrete-path validation also accepts that location, Polaris\npersists the resulting metadata path into stored table state. Later\ntable-load\nand credential APIs can then return temporary cloud-storage credentials for\nthe\nsame location without revalidating it. In plain terms, Polaris can later\nhand\nout temporary storage access for the same attacker-chosen area.\n\nThat attacker-chosen area does not need to be limited to the poisoned\ntable's\nown files. If it is a broader storage prefix, another table's prefix, or,\ndepending on configuration or provider behavior, even a bucket/container\nroot,\nthe resulting disclosure or corruption scope can extend to any data and\nmetadata Polaris can reach there.\n\n\n\nThe practical consequences are therefore similar to the staged-create\ncredential-vending issue already discussed: data and metadata reachable in\nthat\nstorage scope can be exposed and, if write-capable credentials are later\nissued, modified, corrupted, or removed. Even before that later credential\nstep, Polaris itself performs the metadata write to the unchecked location.\n\nSo the core issue is not only later credential vending. \n\nThe primary defect\nis\nthat Polaris skips its intended location checks before performing a\nsecurity-\nsensitive metadata write when only `write.metadata.path` changes.\n\n\n\nWhen `polaris.config.allow.unstructured.table.location=false`, current code\nreview suggests the later `updateTableLike(...)` validation usually rejects\nout-of-tree metadata locations before the unsafe path is persisted. That may\nreduce the persisted / credential-vending variant, but it does not prevent\nthe\nunderlying defect: Polaris still skips the intended pre-write location check\nwhen only `write.metadata.path` changes.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-42812","reference_id":"","reference_type":"","scores":[{"value":"0.00141","scoring_system":"epss","scoring_elements":"0.3406","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-42812"},{"reference_url":"https://github.com/apache/polaris","reference_id":"","reference_type":"","scores":[{"value":"9.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"9.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/polaris"},{"reference_url":"https://github.com/apache/polaris/commit/d6bbcc386e61d08ba5df1f820d0724816d84427b","reference_id":"","reference_type":"","scores":[{"value":"9.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"9.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/polaris/commit/d6bbcc386e61d08ba5df1f820d0724816d84427b"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-42812","reference_id":"","reference_type":"","scores":[{"value":"9.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"9.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-42812"},{"reference_url":"http://www.openwall.com/lists/oss-security/2026/05/02/13","reference_id":"","reference_type":"","scores":[{"value":"9.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"9.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.openwall.com/lists/oss-security/2026/05/02/13"},{"reference_url":"https://github.com/advisories/GHSA-w76p-3cgp-qfcm","reference_id":"GHSA-w76p-3cgp-qfcm","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-w76p-3cgp-qfcm"},{"reference_url":"https://lists.apache.org/thread/wxd2wj3p0smvrk84msv317wg5tp3jtw9","reference_id":"wxd2wj3p0smvrk84msv317wg5tp3jtw9","reference_type":"","scores":[{"value":"9.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"9.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-05-04T16:31:28Z/"}],"url":"https://lists.apache.org/thread/wxd2wj3p0smvrk84msv317wg5tp3jtw9"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/375875?format=json","purl":"pkg:maven/org.apache.polaris/polaris-runtime-service@1.4.1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.polaris/polaris-runtime-service@1.4.1"}],"aliases":["CVE-2026-42812","GHSA-w76p-3cgp-qfcm"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-5ejt-96r8-u3gg"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/70490?format=json","vulnerability_id":"VCID-6qqe-8ep3-87fz","summary":"Apache Polaris can issue broad temporary (\"vended\") storage credentials during\nstaged\ntable creation before the effective table location has been validated or\ndurably reserved. \nThose temporary credentials are meant to limit the scope\nof\naccessible table data and metadata, but this scope limitation becomes\nattacker-\ndirected because the attacker can choose a reachable target location.\n\n\n\nIn the confirmed variant, if the caller supplies a custom `location` during\nstage create and requests credential vending, Apache Polaris uses that location to\nconstruct delegated storage credentials immediately. The stage-create path\nitself neither runs the normal location validation nor the overlap checks\nbefore those credentials are issued.\n\n\n\nClosely related to that, the staged-create flow also accepts\n`write.data.path` / `write.metadata.path` in the request properties and\nfeeds\nthose location overrides into the same effective table location set used for\ncredential vending. Those fields are secondary to the main custom-`location`\nexploit, but they are still attacker-influenced location inputs that should\nbe\nvalidated before any credentials are issued.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-42809","reference_id":"","reference_type":"","scores":[{"value":"0.00112","scoring_system":"epss","scoring_elements":"0.29296","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-42809"},{"reference_url":"https://github.com/apache/polaris","reference_id":"","reference_type":"","scores":[{"value":"9.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"9.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/polaris"},{"reference_url":"https://github.com/apache/polaris/commit/c98d610bc8f7ee237b272e01814391838dd6abf9","reference_id":"","reference_type":"","scores":[{"value":"9.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"9.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/polaris/commit/c98d610bc8f7ee237b272e01814391838dd6abf9"},{"reference_url":"https://github.com/apache/polaris/releases/tag/apache-polaris-1.4.1","reference_id":"","reference_type":"","scores":[{"value":"9.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"9.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/polaris/releases/tag/apache-polaris-1.4.1"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-42809","reference_id":"","reference_type":"","scores":[{"value":"9.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"9.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-42809"},{"reference_url":"http://www.openwall.com/lists/oss-security/2026/05/02/10","reference_id":"","reference_type":"","scores":[{"value":"9.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"9.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.openwall.com/lists/oss-security/2026/05/02/10"},{"reference_url":"https://lists.apache.org/thread/8tfsr8y7pgq6rdcvjx95hkcr47td671r","reference_id":"8tfsr8y7pgq6rdcvjx95hkcr47td671r","reference_type":"","scores":[{"value":"9.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"9.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-05-04T16:30:34Z/"}],"url":"https://lists.apache.org/thread/8tfsr8y7pgq6rdcvjx95hkcr47td671r"},{"reference_url":"https://github.com/advisories/GHSA-8ggj-j522-h5qf","reference_id":"GHSA-8ggj-j522-h5qf","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-8ggj-j522-h5qf"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/375875?format=json","purl":"pkg:maven/org.apache.polaris/polaris-runtime-service@1.4.1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.polaris/polaris-runtime-service@1.4.1"}],"aliases":["CVE-2026-42809","GHSA-8ggj-j522-h5qf"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-6qqe-8ep3-87fz"}],"fixing_vulnerabilities":[],"risk_score":null,"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.polaris/polaris-runtime-service@1.0.1-incubating"}