Padding Oracle vulnerability in Apache Druid extension, druid-pac4j. This could allow an attacker to manipulate a pac4j session cookie. This issue affects Apache Druid versions 0.18.0 through 30.0.0. Since the druid-pac4j extension is optional and disabled by default, Druid installations not using the druid-pac4j extension are not affected by this vulnerability. While we are not aware of a way to meaningfully exploit this flaw, we nevertheless recommend upgrading to version 30.0.1 or higher which fixes the issue and ensuring you have a strong druid.auth.pac4j.cookiePassphrase as a precaution.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:NApache Druid
APPApache0.18.0 – 30.0.1 (bez)
Related vulnerabilities
Apache Druid – pominięcie uwierzytelnienia LDAP przez anonimowy bind
Apache Druid: słaby generator losowy umożliwia bypass uwierzytelnienia Kerberos
Apache Druid allows users to read data from other database systems using JDBC. This functionality is to allow ...
Apache Druid includes the ability to execute user-provided JavaScript code embedded in various types of reques...
Severity: medium (5.8) / important Server-Side Request Forgery (SSRF), Improper Neutralization of Input Durin...