CVE-2022-28889 – org.apache.druid:druid

Package

Manager: maven
Name: org.apache.druid:druid
Vulnerable Version: >=0 <0.23.0

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

EPSS: 0.02244 pctl0.83939

Details

Apache Druid before 0.23.0 vulnerable to clickjacking In Apache Druid 0.22.1 and earlier, the server did not set appropriate headers to prevent clickjacking. Druid 0.23.0 and later prevent clickjacking using the Content-Security-Policy header.

Metadata

Created: 2022-07-08T00:00:43Z
Modified: 2022-07-19T20:26:18Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/07/GHSA-pgq7-jcj5-xx6h/GHSA-pgq7-jcj5-xx6h.json
CWE IDs: ["CWE-1021"]
Alternative ID: GHSA-pgq7-jcj5-xx6h
Finding: F360
Auto approve: 1