CVE-2024-45537 – Apache Druid: Users can provide MySQL JDBC properties not on allow list
https://notcve.org/view.php?id=CVE-2024-45537
Apache Druid allows users with certain permissions to read data from other database systems using JDBC. This functionality allows trusted users to set up Druid lookups or run ingestion tasks. Druid also allows administrators to configure a list of allowed properties that users are able to provide for their JDBC connections. By default, this allowed properties list restricts users to TLS-related properties only. However, when configuration a MySQL JDBC connection, users can use a particularly-crafted JDBC connection string to provide properties that are not on this allow list. Users without the permission to configure JDBC connections are not able to exploit this vulnerability. CVE-2021-26919 describes a similar vulnerability which was partially addressed in Apache Druid 0.20.2. This issue is fixed in Apache Druid 30.0.1. • https://lists.apache.org/thread/2ovx1t77y6tlkhk5b42clp4vwo4c8cjv • CWE-20: Improper Input Validation •
CVE-2024-45384 – Apache Druid: Padding oracle in druid-pac4j extension that allows an attacker to manipulate a pac4j session cookie via Padding Oracle Attack
https://notcve.org/view.php?id=CVE-2024-45384
Padding Oracle vulnerability in Apache Druid extension, druid-pac4j. This could allow an attacker to manipulate a pac4j session cookie. This issue affects Apache Druid versions 0.18.0 through 30.0.0. Since the druid-pac4j extension is optional and disabled by default, Druid installations not using the druid-pac4j extension are not affected by this vulnerability. While we are not aware of a way to meaningfully exploit this flaw, we nevertheless recommend upgrading to version 30.0.1 or higher which fixes the issue and ensuring you have a strong druid.auth.pac4j.cookiePassphrase as a precaution. • https://lists.apache.org/thread/gr94fnp574plb50lsp8jw4smvgv1lbz1 •
CVE-2022-28889 – Clickjacking in the web console
https://notcve.org/view.php?id=CVE-2022-28889
In Apache Druid 0.22.1 and earlier, the server did not set appropriate headers to prevent clickjacking. Druid 0.23.0 and later prevent clickjacking using the Content-Security-Policy header. En Apache Druid versiones 0.22.1 y anteriores, el servidor no establecía los encabezados apropiados para evitar el clickjacking. Druid versiones 0.23.0 y posteriores evitan el clickjacking mediante el encabezado Content-Security-Policy • https://lists.apache.org/thread/t3nsq4crdr8wqgmj721d2wg6pf26s5cw • CWE-1021: Improper Restriction of Rendered UI Layers or Frames •
CVE-2021-44791 – Reflected XSS on certain HTTP endpoints
https://notcve.org/view.php?id=CVE-2021-44791
In Apache Druid 0.22.1 and earlier, certain specially-crafted links result in unescaped URL parameters being sent back in HTML responses. This makes it possible to execute reflected XSS attacks. En Apache Druid versiones 0.22.1 y anteriores, algunos enlaces especialmente diseñados resultan en el envío de parámetros de URL sin esconder en las respuestas HTML. Esto hace posible una ejecución de ataques de tipo XSS reflejados • https://lists.apache.org/thread/lh2kcl4j45q7xj4w6rqf6kwf0mvyp2o6 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2021-36749 – Apache Druid: The HTTP inputSource allows authenticated users to read data from other sources than intended (incomplete fix of CVE-2021-26920)
https://notcve.org/view.php?id=CVE-2021-36749
In the Druid ingestion system, the InputSource is used for reading data from a certain data source. However, the HTTP InputSource allows authenticated users to read data from other sources than intended, such as the local file system, with the privileges of the Druid server process. This is not an elevation of privilege when users access Druid directly, since Druid also provides the Local InputSource, which allows the same level of access. But it is problematic when users interact with Druid indirectly through an application that allows users to specify the HTTP InputSource, but not the Local InputSource. In this case, users could bypass the application-level restriction by passing a file URL to the HTTP InputSource. • https://github.com/BrucessKING/CVE-2021-36749 https://github.com/dorkerdevil/CVE-2021-36749 https://github.com/Jun-5heng/CVE-2021-36749 https://lists.apache.org/thread.html/r304dfe56a5dfe1b2d9166b24d2c74ad1c6730338b20aef77a00ed2be%40%3Cannounce.apache.org%3E https://lists.apache.org/thread.html/rc9400a70d0ec5cdb8a3486fc5ddb0b5282961c0b63e764abfbcb9f5d%40%3Cdev.druid.apache.org%3E • CWE-863: Incorrect Authorization •