Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline

Druid Security Vulnerabilities

cve
cve

CVE-2020-1958

When LDAP authentication is enabled in Apache Druid 0.17.0, callers of Druid APIs with a valid set of LDAP credentials can bypass the credentialsValidator.userSearch filter barrier that determines if a valid LDAP user is allowed to authenticate with Druid. They are still subject to role-based autho...

6.5CVSS

6.3AI Score

0.003EPSS

2020-04-01 10:15 PM
37
2
cve
cve

CVE-2021-25646

Apache Druid includes the ability to execute user-provided JavaScript code embedded in various types of requests. This functionality is intended for use in high-trust environments, and is disabled by default. However, in Druid 0.20.0 and earlier, it is possible for an authenticated user to send a s...

8.8CVSS

8.5AI Score

0.974EPSS

2021-01-29 08:15 PM
228
54
cve
cve

CVE-2021-26919

Apache Druid allows users to read data from other database systems using JDBC. This functionality is to allow trusted users with the proper permissions to set up lookups or submit ingestion tasks. The MySQL JDBC driver supports certain properties, which, if left unmitigated, can allow an attacker t...

8.8CVSS

8.5AI Score

0.012EPSS

2021-03-30 08:15 AM
71
In Wild
4
cve
cve

CVE-2021-26920

In the Druid ingestion system, the InputSource is used for reading data from a certain data source. However, the HTTP InputSource allows authenticated users to read data from other sources than intended, such as the local file system, with the privileges of the Druid server process. This is not an ...

6.5CVSS

6.1AI Score

0.002EPSS

2021-07-02 08:15 AM
80
2
cve
cve

CVE-2021-33800

In Druid 1.2.3, visiting the path with parameter in a certain function can lead to directory traversal.

7.5CVSS

7.4AI Score

0.002EPSS

2021-11-03 08:15 PM
21
cve
cve

CVE-2021-36749

In the Druid ingestion system, the InputSource is used for reading data from a certain data source. However, the HTTP InputSource allows authenticated users to read data from other sources than intended, such as the local file system, with the privileges of the Druid server process. This is not an ...

6.5CVSS

6.3AI Score

0.76EPSS

2021-09-24 10:15 AM
96
cve
cve

CVE-2021-44791

In Apache Druid 0.22.1 and earlier, certain specially-crafted links result in unescaped URL parameters being sent back in HTML responses. This makes it possible to execute reflected XSS attacks.

6.1CVSS

5.9AI Score

0.002EPSS

2022-07-07 07:15 PM
59
6
cve
cve

CVE-2022-28889

In Apache Druid 0.22.1 and earlier, the server did not set appropriate headers to prevent clickjacking. Druid 0.23.0 and later prevent clickjacking using the Content-Security-Policy header.

4.3CVSS

4.4AI Score

0.002EPSS

2022-07-07 07:15 PM
59
7