CVE-2026-34214

描述

### Summary Iceberg connector REST catalog static credentials (access key) or vended credentials (temporary access key) are accessible to users that have write privilege on SQL level. ### Details Iceberg REST catalog typically needs access to object storage. This access can be configured in multiple different ways. When storage access is achieved by static credentials (e.g. AWS S3 access key) or vended credentials (temporary access key). Query JSON is a query visualization and performance troubleshooting facility. It includes serialized query plan and handles for table writes or execution of table procedures. A user that submitted a query has access to query JSON for their query. Query JSON is available from Trino UI or via `/ui/api/query/«query_id»` and `/v1/query/«query_id»` endpoints. The storage credentials are stored in those handles when performing write operations, or table maintenance operations. They are serialized in query JSON. A user with write access to data in Iceberg connector configured to use REST Catalog with static or vended credentials can retrieve those credentials. ### Impact Anyone using Iceberg REST catalog with static or vended credentials is impacted. The credentials should be considered compromised. Vended credentials are temporary in nature so they do not need to be rotated. However, underlying data could have been exposed.

如何修補 CVE-2026-34214

要修補 CVE-2026-34214,請將受影響套件升級到下列已修補版本。

• —升級至 480 或更新版本

CVE-2026-34214 正在被利用嗎?

低 — EPSS 為 0.0%,目前沒有觀察到大規模利用活動。

受影響套件(1)

• >= 439, < 480

CVSS 分數