Server-side Request Forgery (SSRF)

Overview Affected versions of this package are vulnerable to Server-side Request Forgery SSRF in the concatenateForRewrite method in JettyUtils when the management proxy is enabled - which it is in the default configuration. An attacker can manipulate the URL to redirect requests to an arbitrary...

Clickjacking

org.apache.druid:druid-server is vulnerable to clickjacking. The server does not set appropriate headers to prevent clickjacking, which allows remote attackers to trick a user into thinking they are visiting a different site while being redirected to a malicious attacker controlled web site...