7 matches found
CVE-2021-26919
CVE-2021-26919 affects Apache Druid, where allowing users with certain JDBC permissions to supply MySQL JDBC properties not on the allowed list could enable code execution in Druid server processes via a malicious MySQL server. Documented behavior: trusted users can set up lookups or ingestion ta...
CVE-2021-36749
Apache Druid CVE-2021-36749 describes an information-disclosure/reading-via-HTTP InputSource issue in the Druid ingestion system. The HTTP InputSource context permits authenticated users to read data from sources other than intended (for example, local files) with the privileges of the Druid serv...
CVE-2021-26920
The CVE-2021-26920 issue affects Apache Druid’s ingestion system: the HTTP InputSource can be used by authenticated users to read data from sources other than intended (e.g., local files) with the Druid server’s privileges. This is not a privilege elevation when accessed directly, since a Local I...
CVE-2022-28889
CVE-2022-28889 affects Apache Druid up to v0.22.1: the web console/server did not send headers to mitigate clickjacking. Druid v0.23.0 and later address this by implementing a Content-Security-Policy header. Base CVSSv3.1 score 4.3 (MEDIUM). The connected sources confirm impact is limited to miss...
CVE-2025-27888
Affected software and issue: Apache Druid with the management proxy enabled is vulnerable to SSRF, XSS, and Open Redirect via specially crafted URLs. Root cause / vulnerability details: When a request is proxied through the Druid management proxy, a crafted URL can redirect to an arbitrary server...
CVE-2024-45537
Apache Druid CVE-2024-45537 describes a vulnerability where an authenticated user can bypass authorization by sending a specially crafted MySQL JDBC connection string that includes properties not on the allow list, enabling access to read data from other databases via JDBC. The issue stems from i...
CVE-2025-59390
Apache Druid’s Kerberos authenticator is affected. If the configuration druid.auth.authenticator.kerberos.cookieSignatureSecret is not set, a weak fallback secret is generated with ThreadLocalRandom, which is not cryptographically secure. This can allow an attacker to predict or brute‑force the c...