Druid@* Security Vulnerabilities and Issues — Druid@* CVE List

Lucene search

ApacheDruid*

10 matches found

CVE•added 2021/01/29 8:15 p.m.•279 views

CVE-2021-25646

Apache Druid includes the ability to execute user-provided JavaScript code embedded in various types of requests. This functionality is intended for use in high-trust environments, and is disabled by default. However, in Druid 0.20.0 and earlier, it is possible for an authenticated user to send a s...

9CVSS8.6AI score0.94136EPSS

CVE•added 2024/09/17 7:15 p.m.•215 views

CVE-2024-45384

Padding Oracle vulnerability in Apache Druid extension, druid-pac4j.This could allow an attacker to manipulate a pac4j session cookie. This issue affects Apache Druid versions 0.18.0 through 30.0.0.Since the druid-pac4j extension is optional and disabled by default, Druid installations not using th...

5.3CVSS5AI score0.01169EPSS

CVE•added 2021/03/30 8:15 a.m.•190 views

CVE-2021-26919

Apache Druid allows users to read data from other database systems using JDBC. This functionality is to allow trusted users with the proper permissions to set up lookups or submit ingestion tasks. The MySQL JDBC driver supports certain properties, which, if left unmitigated, can allow an attacker t...

8.8CVSS7.6AI score0.82388EPSS

CVE•added 2021/09/24 10:15 a.m.•130 views

CVE-2021-36749

In the Druid ingestion system, the InputSource is used for reading data from a certain data source. However, the HTTP InputSource allows authenticated users to read data from other sources than intended, such as the local file system, with the privileges of the Druid server process. This is not an ...

6.5CVSS6.5AI score0.9334EPSS

CVE•added 2021/07/02 8:15 a.m.•109 views

CVE-2021-26920

6.5CVSS6.2AI score0.03207EPSS

CVE•added 2022/07/07 7:15 p.m.•90 views

CVE-2022-28889

In Apache Druid 0.22.1 and earlier, the server did not set appropriate headers to prevent clickjacking. Druid 0.23.0 and later prevent clickjacking using the Content-Security-Policy header.

4.3CVSS4.7AI score0.02244EPSS

CVE•added 2020/04/01 10:15 p.m.•78 views

CVE-2020-1958

When LDAP authentication is enabled in Apache Druid 0.17.0, callers of Druid APIs with a valid set of LDAP credentials can bypass the credentialsValidator.userSearch filter barrier that determines if a valid LDAP user is allowed to authenticate with Druid. They are still subject to role-based autho...

6.5CVSS6.3AI score0.13735EPSS

CVE•added 2022/07/07 7:15 p.m.•77 views

CVE-2021-44791

In Apache Druid 0.22.1 and earlier, certain specially-crafted links result in unescaped URL parameters being sent back in HTML responses. This makes it possible to execute reflected XSS attacks.

6.1CVSS6AI score0.08295EPSS

CVE•added 2025/03/20 12:15 p.m.•57 views

CVE-2025-27888

Severity: medium (5.8) / important Server-Side Request Forgery (SSRF), Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'), URL Redirection to Untrusted Site ('Open Redirect') vulnerability in Apache Druid. This issue affects all previous Druid versions. When using ...

5.8CVSS5.9AI score0.0007EPSS

CVE•added 2024/09/17 7:15 p.m.•51 views

CVE-2024-45537

Apache Druid allows users with certain permissions to read data from other database systems using JDBC. This functionality allows trusted users to set up Druid lookups or run ingestion tasks. Druid also allows administrators to configure a list of allowed properties that users are able to provide f...

6.5CVSS6.9AI score0.82388EPSS