Lucene search
+L
ApacheDruid

12 matches found

CVE
CVE
added 2021/01/29 7:15 p.m.319 views

CVE-2021-25646

CVE-2021-25646 affects Apache Druid where an authenticated user can trigger execution of user-provided JavaScript in certain requests. The root cause is improper validation that enables the server to run code with the Druid server process privileges, potentially compromising the host. Affected ve...

9CVSS8.6AI score0.99301EPSS
In wildWeb
CVE
CVE
added 2024/09/17 6:36 p.m.300 views

CVE-2024-45384

The CVE-2024-45384 issue affects Apache Druid via the optional druid-pac4j extension, enabling a Padding Oracle vulnerability that could let an attacker manipulate a pac4j session cookie. Affected versions are 0.18.0 through 30.0.0; installations not using druid-pac4j are not affected. While expl...

5.3CVSS5AI score0.00821EPSS
CVE
CVE
added 2021/03/30 7:50 a.m.247 views

CVE-2021-26919

CVE-2021-26919 affects Apache Druid, where allowing users with certain JDBC permissions to supply MySQL JDBC properties not on the allowed list could enable code execution in Druid server processes via a malicious MySQL server. Documented behavior: trusted users can set up lookups or ingestion ta...

8.8CVSS7.6AI score0.34949EPSS
In wild
CVE
CVE
added 2021/09/24 9:30 a.m.164 views

CVE-2021-36749

Apache Druid CVE-2021-36749 describes an information-disclosure/reading-via-HTTP InputSource issue in the Druid ingestion system. The HTTP InputSource context permits authenticated users to read data from sources other than intended (for example, local files) with the privileges of the Druid serv...

6.5CVSS6.5AI score0.81038EPSS
CVE
CVE
added 2021/07/02 7:20 a.m.139 views

CVE-2021-26920

The CVE-2021-26920 issue affects Apache Druid’s ingestion system: the HTTP InputSource can be used by authenticated users to read data from sources other than intended (e.g., local files) with the Druid server’s privileges. This is not a privilege elevation when accessed directly, since a Local I...

6.5CVSS6.2AI score0.09877EPSS
CVE
CVE
added 2022/07/07 6:35 p.m.109 views

CVE-2022-28889

CVE-2022-28889 affects Apache Druid up to v0.22.1: the web console/server did not send headers to mitigate clickjacking. Druid v0.23.0 and later address this by implementing a Content-Security-Policy header. Base CVSSv3.1 score 4.3 (MEDIUM). The connected sources confirm impact is limited to miss...

4.3CVSS4.7AI score0.01738EPSS
CVE
CVE
added 2025/03/20 11:29 a.m.108 views

CVE-2025-27888

Affected software and issue: Apache Druid with the management proxy enabled is vulnerable to SSRF, XSS, and Open Redirect via specially crafted URLs. Root cause / vulnerability details: When a request is proxied through the Druid management proxy, a crafted URL can redirect to an arbitrary server...

5.8CVSS5.9AI score0.01656EPSS
CVE
CVE
added 2022/07/07 6:35 p.m.100 views

CVE-2021-44791

CVE-2021-44791 affects Apache Druid 0.22.1 and earlier. The vulnerability arises when certain specially-crafted links cause unescaped URL parameters to be echoed back in HTML responses, enabling reflected XSS . The impact floor is limited to the types of data altered in the response and user inte...

6.1CVSS6AI score0.02088EPSS
CVE
CVE
added 2020/04/01 9:48 p.m.93 views

CVE-2020-1958

Apache Druid 0.17.0 is affected by CVE-2020-1958, which allows an attacker using valid LDAP credentials to bypass the credentialsValidator.userSearch filter and proceed to authentication, while still being subjected to RBAC if configured. The issue also enables retrieval of LDAP attribute values ...

6.5CVSS6.3AI score0.04565EPSS
CVE
CVE
added 2024/09/17 6:37 p.m.80 views

CVE-2024-45537

Apache Druid CVE-2024-45537 describes a vulnerability where an authenticated user can bypass authorization by sending a specially crafted MySQL JDBC connection string that includes properties not on the allow list, enabling access to read data from other databases via JDBC. The issue stems from i...

6.5CVSS6.9AI score0.00626EPSS
CVE
CVE
added 2026/02/10 9:28 a.m.39 views

CVE-2026-23906

Summary (CVE-2026-23906) : Apache Druid versions 0.17.0 through 35.x are affected when using the druid-basic-security extension with LDAP authentication and an LDAP server that allows anonymous bind. The vulnerability arises from improper validation of LDAP authentication responses, where anonymo...

9.8CVSS5.6AI score0.01034EPSS
CVE
CVE
added 2025/11/26 8:50 a.m.29 views

CVE-2025-59390

Apache Druid’s Kerberos authenticator is affected. If the configuration druid.auth.authenticator.kerberos.cookieSignatureSecret is not set, a weak fallback secret is generated with ThreadLocalRandom, which is not cryptographically secure. This can allow an attacker to predict or brute‑force the c...

9.8CVSS6.8AI score0.00597EPSS