GHSA-hxp5-8pgq-mgv9 · Severity: medium · Ecosystem: maven — Missing Authentication for Critical Function in Apache Calcite
HttpUtils#getURLConnection method disables explicitly hostname verification for HTTPS connections making clients vulnerable to man-in-the-middle attacks. Calcite uses internally this method to connect with Druid and Splunk so information leakage may happen when using the respective Calcite adapters. The method itself is in a utility class so people may use it to create vulnerable HTTPS connections for other applications. From Apache Calcite 1.26 onwards, the hostname verification will be performed using the default JVM truststore.
Conclusion & alert: CVE-2020-13955 is rated Moderate Risk (51.1/100): CVSS Medium severity, with medium exploitation likelihood (EPSS 2.11%). Mandatory action: Review affected assets and schedule remediation.
Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.
EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).
| # | Date | Old EPSS score | New EPSS score | Delta (New - Old) |
|---|---|---|---|---|
| 1 | 2026-06-24 | 2.45% | 2.11% | -0.33% |
| 2 | 2026-06-15 | 0.78% | 2.45% | +1.66% |
| 3 | 2025-11-21 | — | 0.78% | — |
Full EPSS history (14 records total)
CVSS metrics for this CVE.
| Base score | Version | Severity | Vector | Exploitability | Impact | Score source |
|---|---|---|---|---|---|---|
| 5.9 | 3.1 | MEDIUM |
|
2.2 | 3.6 | [email protected] |
| 4.3 | 2.0 | MEDIUM |
|
8.6 | 2.9 | [email protected] |
GHSA-hxp5-8pgq-mgv9 · Severity: medium · Ecosystem: maven — Missing Authentication for Critical Function in Apache Calcite
| URL | Tags |
|---|---|
| https://lists.apache.org/thread.html/r0b0fbe2038388175951ce1028182d980f9e9a7328be13d52dab70bb3%40%3Cdev.calcite.apache.org%3E | Mailing List Third Party Advisory |