=====================================================================

                                   CERT-Renater

                       Note d'Information No. 2022/VULN241

_____________________________________________________________________

DATE                : 08/07/2022

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Apache Druid versions prior
                                      to 0.23.0.

=====================================================================
https://lists.apache.org/thread/t3nsq4crdr8wqgmj721d2wg6pf26s5cw
https://lists.apache.org/thread/lh2kcl4j45q7xj4w6rqf6kwf0mvyp2o6
_____________________________________________________________________


CVE-2022-28889: Apache Druid: Clickjacking in the web console


Description:

In Apache Druid 0.22.1 and earlier, the server did not set appropriate
headers to prevent clickjacking. Druid 0.23.0 and later prevent
clickjacking using the Content-Security-Policy header.


Mitigation:

Upgrade to Druid 0.23.0 or later.

_____________________________________________________________________

CVE-2021-44791: Apache Druid: Reflected XSS on certain HTTP endpoints

Severity: low

Description:

In Apache Druid 0.22.1 and earlier, certain specially-crafted links
result in unescaped URL parameters being sent back in HTML responses.
This makes it possible to execute reflected XSS attacks.


Mitigation:

Upgrade to Druid 0.23.0 or later.


Credit:

This issue was discovered by DangKhai from Viettel Cyber Security

=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================