Lucene search
K

40 matches found

OSV
OSV
added 2022/05/14 3:53 a.m.14 views

GHSA-XP4G-5XJ6-6VPR Apache Drill vulnerable to Cross-site Scripting

In Apache Drill 1.11.0 and earlier, when submitting form from Query page, users are able to pass arbitrary script or HTML which will take effect on Profile page afterwards. Example: after submitting special script that returns cookie information from Query page, malicious user may obtain this...

5.4CVSS5.3AI score0.01105EPSS
Exploits3References3
OSV
OSV
added 2020/06/18 2:44 p.m.1 views

GHSA-J823-4QCH-3RGM Deserialization of untrusted data in Jackson Databind

FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between serialization gadgets and typing, related to oadd.org.apache.xalan.lib.sql.JNDIConnectionPool aka apache/drill...

8.1CVSS7.1AI score0.08607EPSS
Exploits0References16
Veracode
Veracode
added 2020/06/15 5:12 a.m.36 views

Remote Code Execution

jackson-databind is vulnerable to remote code execution. It was possible to use the apache-drill gadget type as a serialization gadget through polymorphic typing and execute arbitrary code on the system...

8.1CVSS4.6AI score0.08607EPSS
Exploits0References11Affected Software16
NVD
NVD
added 2020/06/14 9:15 p.m.19 views

CVE-2020-14060

FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between serialization gadgets and typing, related to oadd.org.apache.xalan.lib.sql.JNDIConnectionPool aka apache/drill...

8.1CVSS0.08607EPSS
Exploits0References9
OSV
OSV
added 2020/06/14 9:15 p.m.25 views

CVE-2020-14060

FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between serialization gadgets and typing, related to oadd.org.apache.xalan.lib.sql.JNDIConnectionPool aka apache/drill...

8.1CVSS6.5AI score
Exploits0References9
OSV
OSV
added 2020/06/14 9:15 p.m.2 views

DEBIAN-CVE-2020-14060

FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between serialization gadgets and typing, related to oadd.org.apache.xalan.lib.sql.JNDIConnectionPool aka apache/drill...

8.1CVSS7.1AI score0.08607EPSS
Exploits0References1
UbuntuCve
UbuntuCve
added 2020/06/14 9:15 p.m.37 views

CVE-2020-14060

FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between serialization gadgets and typing, related to oadd.org.apache.xalan.lib.sql.JNDIConnectionPool aka apache/drill...

8.1CVSS6.8AI score0.08607EPSS
Exploits0References4
Cvelist
Cvelist
added 2020/06/14 8:46 p.m.37 views

CVE-2020-14060

FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between serialization gadgets and typing, related to oadd.org.apache.xalan.lib.sql.JNDIConnectionPool aka apache/drill...

8.7AI score0.08607EPSS
Exploits0References9
Debian CVE
Debian CVE
added 2020/06/14 8:46 p.m.32 views

CVE-2020-14060

FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between serialization gadgets and typing, related to oadd.org.apache.xalan.lib.sql.JNDIConnectionPool aka apache/drill...

8.1CVSS7.7AI score0.08607EPSS
Exploits0
Veracode
Veracode
added 2019/06/03 1:58 p.m.4 views

Cross-Site Scripting (XSS)

apache-drill is vulnerable to cross-site scripting XSS. The inputValues parameter in populateAndShowAlert function is not properly sanitized, allowing a remote attacker attacker to pass a malicious input to execute arbitrary Javascript code on the victims browser...

6.7AI score
Exploits0
Veracode
Veracode
added 2018/04/05 3:21 a.m.10 views

Information Disclosure

Apache Drill is vulnerable to information disclosure. The application logs passwords in plain text when connecting a database, allowing a malicious user with access to the logs access to sensitive information...

6.1AI score
Exploits0
Veracode
Veracode
added 2017/12/19 1:45 a.m.8 views

Directory Traversal

Apache Drill is vulnerable directory traversal attacks. The application is does not prevent user queries from accessing paths outside of their workspace, allowing a malicious user to traverse the directory...

6.6AI score
Exploits0
CNVD
CNVD
added 2017/12/19 12:0 a.m.3 views

Apache Drill Cross-Site Scripting Vulnerability

Apache Drill is a schema-less SQL query engine for Hapood, NoSQL and cloud storage from the Apache Apache Software Foundation. The product supports a variety of NoSQL databases and file systems , including HBase, MongoDB, MapR-DB, HDFS and MapR-FS and so on. A cross-site scripting vulnerability...

5.4CVSS6.5AI score0.01105EPSS
Exploits3References1
Prion
Prion
added 2017/12/18 2:29 p.m.9 views

Design/Logic Flaw

In Apache Drill 1.11.0 and earlier when submitting form from Query page users are able to pass arbitrary script or HTML which will take effect on Profile page afterwards. Example: after submitting special script that returns cookie information from Query page, malicious user may obtain this...

3.5CVSS5.4AI score0.01105EPSS
Exploits3References1Affected Software1
NVD
NVD
added 2017/12/18 2:29 p.m.23 views

CVE-2017-12630

In Apache Drill 1.11.0 and earlier when submitting form from Query page users are able to pass arbitrary script or HTML which will take effect on Profile page afterwards. Example: after submitting special script that returns cookie information from Query page, malicious user may obtain this...

5.4CVSS5.4AI score0.01105EPSS
Exploits3References1
OSV
OSV
added 2017/12/18 2:29 p.m.4 views

CVE-2017-12630

In Apache Drill 1.11.0 and earlier when submitting form from Query page users are able to pass arbitrary script or HTML which will take effect on Profile page afterwards. Example: after submitting special script that returns cookie information from Query page, malicious user may obtain this...

5.4CVSS5.9AI score0.01105EPSS
Exploits3References1
Cvelist
Cvelist
added 2017/12/18 2:0 p.m.20 views

CVE-2017-12630

In Apache Drill 1.11.0 and earlier when submitting form from Query page users are able to pass arbitrary script or HTML which will take effect on Profile page afterwards. Example: after submitting special script that returns cookie information from Query page, malicious user may obtain this...

5.4AI score0.01105EPSS
Exploits3References1
CVE
CVE
added 2017/12/18 2:0 p.m.89 views

CVE-2017-12630

CVE-2017-12630 affects Apache Drill 1.11.0 and earlier. The vulnerability is a cross-site scripting issue where submitting a form from the Query page allows an attacker to inject arbitrary script/HTML, which can then execute on the Profile page and potentially expose cookie information. The conne...

5.4CVSS5.4AI score0.01105EPSS
Exploits3References1Affected Software1
Veracode
Veracode
added 2017/10/23 7:16 a.m.14 views

Spoofable Clients

Apache Drill clients are vulnerable to being spoofed. When authenticating with a server, the configuration is not checked. This means if an attacker sets up a drillbit url with no authentication to spoof requests coming from a secured drillbit url, the connection will return as a success...

6.7AI score
Exploits0
Veracode
Veracode
added 2017/09/27 7:11 a.m.13 views

Cross-site Scripting (XSS)

Apache Drill is vulnerable to cross-site scripting XSS attacks. The library does not properly sanitize the user input string in the query page or in the profile page, allowing a malicious user to inject and execute arbitrary Javascript...

5.4CVSS5.4AI score0.01105EPSS
Exploits3References3Affected Software1
Rows per page
Query Builder