Vulnerabilities > Apache > Druid

DATE CVE VULNERABILITY TITLE RISK
2024-09-17 CVE-2024-45384 Unspecified vulnerability in Apache Druid
Padding Oracle vulnerability in Apache Druid extension, druid-pac4j. This could allow an attacker to manipulate a pac4j session cookie. This issue affects Apache Druid versions 0.18.0 through 30.0.0. Since the druid-pac4j extension is optional and disabled by default, Druid installations not using the druid-pac4j extension are not affected by this vulnerability. While we are not aware of a way to meaningfully exploit this flaw, we nevertheless recommend upgrading to version 30.0.1 or higher which fixes the issue and ensuring you have a strong druid.auth.pac4j.cookiePassphrase as a precaution.
network
low complexity
apache
5.3
2024-09-17 CVE-2024-45537 Unspecified vulnerability in Apache Druid
Apache Druid allows users with certain permissions to read data from other database systems using JDBC.
network
low complexity
apache
6.5
2022-07-07 CVE-2021-44791 Cross-site Scripting vulnerability in Apache Druid
In Apache Druid 0.22.1 and earlier, certain specially-crafted links result in unescaped URL parameters being sent back in HTML responses.
network
low complexity
apache CWE-79
6.1
2022-07-07 CVE-2022-28889 Improper Restriction of Rendered UI Layers or Frames vulnerability in Apache Druid
In Apache Druid 0.22.1 and earlier, the server did not set appropriate headers to prevent clickjacking.
network
low complexity
apache CWE-1021
4.3
2021-09-24 CVE-2021-36749 Incorrect Authorization vulnerability in Apache Druid
In the Druid ingestion system, the InputSource is used for reading data from a certain data source.
network
low complexity
apache CWE-863
6.5
2021-07-02 CVE-2021-26920 Externally Controlled Reference to a Resource in Another Sphere vulnerability in Apache Druid
In the Druid ingestion system, the InputSource is used for reading data from a certain data source.
network
low complexity
apache CWE-610
6.5
2021-03-30 CVE-2021-26919 Unspecified vulnerability in Apache Druid
Apache Druid allows users to read data from other database systems using JDBC.
network
low complexity
apache
8.8
2021-01-29 CVE-2021-25646 Unspecified vulnerability in Apache Druid
Apache Druid includes the ability to execute user-provided JavaScript code embedded in various types of requests.
network
low complexity
apache
8.8
2020-04-01 CVE-2020-1958 Injection vulnerability in Apache Druid 0.17.0
When LDAP authentication is enabled in Apache Druid 0.17.0, callers of Druid APIs with a valid set of LDAP credentials can bypass the credentialsValidator.userSearch filter barrier that determines if a valid LDAP user is allowed to authenticate with Druid.
network
low complexity
apache CWE-74
6.5