GHSA-86q5-qcjc-7pv4: 
Java vulnerability analysis and mitigation

A Server-Side Request Forgery (SSRF) vulnerability was discovered in Presto JDBC when connecting to a remote Presto server, identified as GHSA-86q5-qcjc-7pv4. The vulnerability affects all versions of com.facebook.presto:presto-jdbc (Maven) up to and including version 0.283. The vulnerability was discovered by Jianyu Li from WuHeng Lab of ByteDance and was published on October 3, 2023. No patched versions are currently available (GitHub Advisory).

The vulnerability stems from the Presto protocol's nextUri parameter, which specifies the URI for the client's next request to obtain query data. The Presto JDBC client directly uses the nextUri value returned by the remote Presto server without proper validation. The vulnerability has a CVSS v3.1 score of 7.6 (High), with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L. The relevant vulnerable code is located in the /presto-client/src/main/java/com/facebook/presto/client/StatementClientV1.java file within the advance function (GitHub Advisory).

When an attacker can control the target remote Presto server, they can exploit this vulnerability to view sensitive information from internal servers or perform local port scanning. For unexpected responses, the JDBC client will include the response body in the error message, potentially leaking sensitive internal server information if the server returns errors directly to the user (GitHub Advisory).

As of the advisory publication, no patched versions are available for this vulnerability. Users of the affected versions (<=0.283) of com.facebook.presto:presto-jdbc should exercise caution when connecting to remote Presto servers and ensure they are connecting only to trusted servers (GitHub Advisory).