Reflected XSS on certain HTTP endpoints

Vulnerability

Overview

CVE-2021-44791 is a reflected cross-site scripting (XSS) vulnerability in Apache Druid, a high-performance real-time analytics database. The flaw exists in versions 0.22.1 and earlier, where certain specially-crafted links cause unescaped URL parameters to be reflected back in HTML responses. This lack of proper output encoding allows an attacker to inject arbitrary JavaScript into the response page [1][2].

Exploitation

An attacker can exploit this vulnerability by crafting a malicious URL containing JavaScript payloads in query parameters. When a victim clicks on such a link, the unescaped parameters are included in the HTML response from the Druid server, causing the browser to execute the injected script. No authentication is required to trigger the reflection, but the victim must be logged into the Druid console for the attack to have full effect [2].

Impact

Successful exploitation allows an attacker to execute arbitrary JavaScript in the context of the victim's browser session. This can lead to session hijacking, data theft, or unauthorized actions performed on behalf of the victim within the Druid web console. The vulnerability is classified as medium severity (CVSS 6.1) due to the requirement for user interaction [2].

Mitigation

Apache has addressed this issue in Druid version 0.22.2 and later. Users are strongly advised to upgrade to the latest release. As a workaround, administrators can restrict access to the Druid web console or implement web application firewall rules to filter malicious query parameters. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog as of the publication date [2].