{
  "repository": "https://github.com/apache/gravitino",
  "commit_source": "release_tag_resolution",
  "commit_sha": "e88bffcfc31b7a656c960245b63b1e4c4901b8ee",
  "submitted_target": {
    "target_kind": "release",
    "commit_sha": "1c1665f05e24f69833bcedfb0e6dc6b477f95dc4",
    "version": "1.2.0",
    "ref": "v1.2.0",
    "display": "Apache Gravitino 1.2.0 official binary distribution"
  },
  "variant_target": {
    "target_kind": "release",
    "commit_sha": "e88bffcfc31b7a656c960245b63b1e4c4901b8ee",
    "version": "1.2.1",
    "ref": "v1.2.1",
    "display": "Apache Gravitino 1.2.1 official binary distribution (fixed; bypassed via lakehouse-paimon)"
  },
  "resolution_method": "The tested source identity was resolved from the running Gravitino server's /api/version endpoint, which reports the build gitCommit embedded in the official binary distribution. The official gravitino-1.2.1-bin.tar.gz (and 1.2.0) were used; no source was rebuilt. The 1.2.1 distribution embeds gitCommit e88bffcfc31b7a656c960245b63b1e4c4901b8ee (compileDate 06/05/2026 10:11:05), which is past the fix cherry-pick 84d3de9c7 (H2 block in DataSourceUtils) shipped in 1.2.1.",
  "fixed_version_evidence": {
    "version": "1.2.1",
    "git_commit": "e88bffcfc31b7a656c960245b63b1e4c4901b8ee",
    "compile_date": "06/05/2026 10:11:05",
    "version_endpoint": "http://127.0.0.1:8090/api/version",
    "captured_at": "bundle/logs/vuln_variant/fixed_version.json"
  },
  "vulnerable_version_evidence": {
    "version": "1.2.0",
    "git_commit": "1c1665f05e24f69833bcedfb0e6dc6b477f95dc4",
    "compile_date": "12/03/2026 14:09:50",
    "version_endpoint": "http://127.0.0.1:8090/api/version",
    "captured_at": "bundle/logs/vuln_variant/vuln_version.json"
  },
  "fix_commits": {
    "main": "5daabcd0e8ddc96e25bd6c6ce7b153cdb311c3f2",
    "branch_1.2_cherry_pick": "84d3de9c7c436fbdac72b5f7a1163e65e0580fe2"
  },
  "notes": "Both the vulnerable (1.2.0) and fixed (1.2.1) servers were started from the official Apache Gravitino binary distributions (gravitino-1.2.0-bin.tar.gz / gravitino-1.2.1-bin.tar.gz). The exact build commit was read live from each running server's /api/version response. The bypass (H2 INIT RCE via lakehouse-paimon jdbc metastore) was reproduced on the fixed 1.2.1 server (commit e88bffcfc...), confirming the fix is incomplete for this entry point."
}
