CVE-2021-44791 – org.apache.druid:druid

Package

Manager: maven
Name: org.apache.druid:druid
Vulnerable Version: >=0 <0.23.0

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

EPSS: 0.08295 pctl0.91925

Details

Apache Druid before 0.23.0 vulnerable to reflected XSS via unescaped URL parameters In Apache Druid 0.22.1 and earlier, certain specially-crafted links result in unescaped URL parameters being sent back in HTML responses. This makes it possible to execute reflected XSS attacks. This issue is patched in version 0.23.0.

Metadata

Created: 2022-07-08T00:00:43Z
Modified: 2022-07-19T20:27:57Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/07/GHSA-8rmv-98m4-g5c6/GHSA-8rmv-98m4-g5c6.json
CWE IDs: ["CWE-79"]
Alternative ID: GHSA-8rmv-98m4-g5c6
Finding: F008
Auto approve: 1