CVE-2026-42810— Apache Polaris 通配符命名空间凭证泄露漏洞
获取后续新漏洞提醒登录后订阅
一、 漏洞 CVE-2026-42810 基础信息
漏洞信息
对漏洞内容有疑问?看看神龙的深度分析是否有帮助!
查看神龙十问 ↗ 尽管我们使用了先进的大模型技术,但其输出仍可能包含不准确或过时的信息。神龙努力确保数据的准确性,但请您根据实际情况进行核实和判断。
Vulnerability Title
Apache Polaris: could broaden vended S3 credentials through wildcard-bearing namespace or table names
来源: 美国国家漏洞数据库 NVD
Vulnerability Description
Apache Polaris accepts literal `*` characters in namespace and table names. When it later builds temporary S3 access policies for delegated table access, those same characters appear to be reused unescaped in S3 IAM resource patterns and `s3:prefix` conditions. In S3 IAM policy matching, `*` is treated as a wildcard rather than as ordinary text. That means temporary credentials issued for one crafted table can match the storage path of a different table. In private testing against Polaris 1.4.0 using Polaris' AWS S3 temporary- credential path on both MinIO and real AWS S3, credentials returned for crafted tables such as `f*.t1`, `f*.*`, `*.*`, and `foo.*` could reach other tables' S3 locations. The confirmed behavior includes: - reading another table's metadata control file ([Iceberg metadata JSON]); - listing another table's exact S3 table prefix ([table prefix]); - and, when write delegation was returned for the crafted table, creating and deleting an object under another table's exact S3 table prefix. A control case using ordinary different names did not allow the same cross-table access. A least-privilege AWS S3 variant was also confirmed in which the attacker principal had no Polaris permissions on the victim table and only the minimal permissions required to create and use a crafted wildcard table (namespace-scoped `TABLE_CREATE` and `TABLE_WRITE_DATA` on `*`). In that setup, direct Polaris access to `foo.t1` remained forbidden, but the attacker could still create and load `*.*`, receive delegated S3 credentials, and use those credentials to list, read, create, and delete objects under `foo.t1`. In Iceberg, the metadata JSON file is a control file: it tells readers which data files belong to the table, which snapshots exist, and which table version to read. So unauthorized access to it is already a meaningful confidentiality problem. The confirmed write-capable variant means the issue is not limited to disclosure.
来源: 美国国家漏洞数据库 NVD
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
来源: 美国国家漏洞数据库 NVD
Vulnerability Type
对输出编码和转义不恰当
来源: 美国国家漏洞数据库 NVD
受影响产品
| 厂商 | 产品 | 影响版本 | CPE | 订阅 |
|---|---|---|---|---|
| Apache Software Foundation | Apache Polaris | 0 ~ 1.4.1 | - |
二、漏洞 CVE-2026-42810 的公开POC
| # | POC 描述 | 源链接 | 神龙链接 |
|---|
AI 生成 POC高级
未找到公开 POC。
登录以生成 AI POC三、漏洞 CVE-2026-42810 的情报信息
Please 登录 to view more intelligence information
同批安全公告 · Apache Software Foundation · 2026-05-04 · 共 17 条
| CVE-2026-42811 | 9.9 CRITICAL | Apache Polaris GCS凭证泄露漏洞 |
| CVE-2026-42809 | 9.9 CRITICAL | Apache Polaris 临时存储凭证滥用漏洞 |
| CVE-2026-42812 | 9.9 CRITICAL | Apache Polaris write.metadata.path 无保护漏洞 |
| CVE-2026-40682 | Apache OpenNLP 字典解析 XXE 漏洞 | |
| CVE-2026-42027 | Apache OpenNLP 扩展加载器任意类实例化漏洞 | |
| CVE-2026-42440 | Apache OpenNLP 内存溢出拒绝服务漏洞 | |
| CVE-2026-40563 | Apache Atlas 脚本注入漏洞 | |
| CVE-2026-29169 | Apache HTTP Server mod_dav_lock 间接锁定崩溃漏洞 | |
| CVE-2026-23918 | Apache HTTP Server http2 早期重置双释放及RCE漏洞 | |
| CVE-2026-33006 | Apache HTTP Server mod_auth_digest 时序攻击漏洞 | |
| CVE-2026-33007 | Apache HTTP Server mod_authn_socache 崩溃漏洞 | |
| CVE-2026-33523 | Apache HTTP Server HTTP响应拆分漏洞 | |
| CVE-2026-33857 | Apache HTTP Server AJP获取函数边界外读漏洞 | |
| CVE-2026-34032 | Apache HTTP Server mod_proxy_ajp堆缓冲区过读漏洞 | |
| CVE-2026-34059 | Apache HTTP Server mod_proxy_ajp堆溢出与内存泄露漏洞 | |
| CVE-2026-24072 | Apache HTTP Server mod_rewrite 权限提升漏洞 |
IV. Related Vulnerabilities
V. Comments for CVE-2026-42810
暂无评论