Lucene search
K

7 matches found

CVE
CVE
added 2021/03/30 7:50 a.m.245 views

CVE-2021-26919

CVE-2021-26919 affects Apache Druid, where allowing users with certain JDBC permissions to supply MySQL JDBC properties not on the allowed list could enable code execution in Druid server processes via a malicious MySQL server. Documented behavior: trusted users can set up lookups or ingestion ta...

8.8CVSS7.6AI score0.22588EPSS
In wild
CVE
CVE
added 2021/09/24 9:30 a.m.160 views

CVE-2021-36749

Apache Druid CVE-2021-36749 describes an information-disclosure/reading-via-HTTP InputSource issue in the Druid ingestion system. The HTTP InputSource context permits authenticated users to read data from sources other than intended (for example, local files) with the privileges of the Druid serv...

6.5CVSS6.5AI score0.81038EPSS
CVE
CVE
added 2021/07/02 7:20 a.m.135 views

CVE-2021-26920

The CVE-2021-26920 issue affects Apache Druid’s ingestion system: the HTTP InputSource can be used by authenticated users to read data from sources other than intended (e.g., local files) with the Druid server’s privileges. This is not a privilege elevation when accessed directly, since a Local I...

6.5CVSS6.2AI score0.09877EPSS
CVE
CVE
added 2022/07/07 6:35 p.m.107 views

CVE-2022-28889

CVE-2022-28889 affects Apache Druid up to v0.22.1: the web console/server did not send headers to mitigate clickjacking. Druid v0.23.0 and later address this by implementing a Content-Security-Policy header. Base CVSSv3.1 score 4.3 (MEDIUM). The connected sources confirm impact is limited to miss...

4.3CVSS4.7AI score0.016EPSS
CVE
CVE
added 2025/03/20 11:29 a.m.106 views

CVE-2025-27888

Affected software and issue: Apache Druid with the management proxy enabled is vulnerable to SSRF, XSS, and Open Redirect via specially crafted URLs. Root cause / vulnerability details: When a request is proxied through the Druid management proxy, a crafted URL can redirect to an arbitrary server...

5.8CVSS5.9AI score0.01656EPSS
CVE
CVE
added 2024/09/17 6:37 p.m.74 views

CVE-2024-45537

Apache Druid CVE-2024-45537 describes a vulnerability where an authenticated user can bypass authorization by sending a specially crafted MySQL JDBC connection string that includes properties not on the allow list, enabling access to read data from other databases via JDBC. The issue stems from i...

6.5CVSS6.9AI score0.00626EPSS
CVE
CVE
added 2025/11/26 8:50 a.m.26 views

CVE-2025-59390

Apache Druid’s Kerberos authenticator is affected. If the configuration druid.auth.authenticator.kerberos.cookieSignatureSecret is not set, a weak fallback secret is generated with ThreadLocalRandom, which is not cryptographically secure. This can allow an attacker to predict or brute‑force the c...

9.8CVSS6.8AI score0.00597EPSS