40 matches found
GHSA-XP4G-5XJ6-6VPR Apache Drill vulnerable to Cross-site Scripting
In Apache Drill 1.11.0 and earlier, when submitting form from Query page, users are able to pass arbitrary script or HTML which will take effect on Profile page afterwards. Example: after submitting special script that returns cookie information from Query page, malicious user may obtain this...
GHSA-J823-4QCH-3RGM Deserialization of untrusted data in Jackson Databind
FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between serialization gadgets and typing, related to oadd.org.apache.xalan.lib.sql.JNDIConnectionPool aka apache/drill...
Remote Code Execution
jackson-databind is vulnerable to remote code execution. It was possible to use the apache-drill gadget type as a serialization gadget through polymorphic typing and execute arbitrary code on the system...
CVE-2020-14060
FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between serialization gadgets and typing, related to oadd.org.apache.xalan.lib.sql.JNDIConnectionPool aka apache/drill...
CVE-2020-14060
FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between serialization gadgets and typing, related to oadd.org.apache.xalan.lib.sql.JNDIConnectionPool aka apache/drill...
DEBIAN-CVE-2020-14060
FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between serialization gadgets and typing, related to oadd.org.apache.xalan.lib.sql.JNDIConnectionPool aka apache/drill...
CVE-2020-14060
FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between serialization gadgets and typing, related to oadd.org.apache.xalan.lib.sql.JNDIConnectionPool aka apache/drill...
CVE-2020-14060
FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between serialization gadgets and typing, related to oadd.org.apache.xalan.lib.sql.JNDIConnectionPool aka apache/drill...
CVE-2020-14060
FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between serialization gadgets and typing, related to oadd.org.apache.xalan.lib.sql.JNDIConnectionPool aka apache/drill...
Cross-Site Scripting (XSS)
apache-drill is vulnerable to cross-site scripting XSS. The inputValues parameter in populateAndShowAlert function is not properly sanitized, allowing a remote attacker attacker to pass a malicious input to execute arbitrary Javascript code on the victims browser...
Information Disclosure
Apache Drill is vulnerable to information disclosure. The application logs passwords in plain text when connecting a database, allowing a malicious user with access to the logs access to sensitive information...
Directory Traversal
Apache Drill is vulnerable directory traversal attacks. The application is does not prevent user queries from accessing paths outside of their workspace, allowing a malicious user to traverse the directory...
Apache Drill Cross-Site Scripting Vulnerability
Apache Drill is a schema-less SQL query engine for Hapood, NoSQL and cloud storage from the Apache Apache Software Foundation. The product supports a variety of NoSQL databases and file systems , including HBase, MongoDB, MapR-DB, HDFS and MapR-FS and so on. A cross-site scripting vulnerability...
Design/Logic Flaw
In Apache Drill 1.11.0 and earlier when submitting form from Query page users are able to pass arbitrary script or HTML which will take effect on Profile page afterwards. Example: after submitting special script that returns cookie information from Query page, malicious user may obtain this...
CVE-2017-12630
In Apache Drill 1.11.0 and earlier when submitting form from Query page users are able to pass arbitrary script or HTML which will take effect on Profile page afterwards. Example: after submitting special script that returns cookie information from Query page, malicious user may obtain this...
CVE-2017-12630
In Apache Drill 1.11.0 and earlier when submitting form from Query page users are able to pass arbitrary script or HTML which will take effect on Profile page afterwards. Example: after submitting special script that returns cookie information from Query page, malicious user may obtain this...
CVE-2017-12630
In Apache Drill 1.11.0 and earlier when submitting form from Query page users are able to pass arbitrary script or HTML which will take effect on Profile page afterwards. Example: after submitting special script that returns cookie information from Query page, malicious user may obtain this...
CVE-2017-12630
CVE-2017-12630 affects Apache Drill 1.11.0 and earlier. The vulnerability is a cross-site scripting issue where submitting a form from the Query page allows an attacker to inject arbitrary script/HTML, which can then execute on the Profile page and potentially expose cookie information. The conne...
Spoofable Clients
Apache Drill clients are vulnerable to being spoofed. When authenticating with a server, the configuration is not checked. This means if an attacker sets up a drillbit url with no authentication to spoof requests coming from a secured drillbit url, the connection will return as a success...
Cross-site Scripting (XSS)
Apache Drill is vulnerable to cross-site scripting XSS attacks. The library does not properly sanitize the user input string in the query page or in the profile page, allowing a malicious user to inject and execute arbitrary Javascript...