VYPR
← All advisories
Low severityNVD Advisory· Published Sep 17, 2024· Updated Mar 14, 2025

Apache Druid: Users can provide MySQL JDBC properties not on allow list

CVE-2024-45537

Description

In Apache Druid, a crafted MySQL JDBC connection string bypasses the allowed properties list, letting trusted users inject arbitrary properties and access other databases.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

In Apache Druid, a crafted MySQL JDBC connection string bypasses the allowed properties list, letting trusted users inject arbitrary properties and access other databases.

Vulnerability

Description

Apache Druid allows users with permission to configure JDBC connections to read data from other database systems via JDBC for lookups or ingestion tasks. Druid administrators can define an allowed properties list to restrict which connection properties users can supply; by default, only TLS-related properties are permitted. However, when using a MySQL JDBC connection, an attacker can craft a JDBC connection string that injects properties not on the allow list, bypassing the restriction [1]. This issue is similar to CVE-2021-26919, which was partially addressed in Druid 0.20.2.

Exploitation

Prerequisites

To exploit this vulnerability, a user must have the permission to configure JDBC connections. Users without this permission cannot exploit it. The attack requires knowledge of MySQL JDBC driver specifics and the ability to construct a malicious connection string [1].

Impact

A successful exploit allows an attacker to include arbitrary JDBC connection properties, potentially enabling access to other databases or systems that the Druid process can reach. This could lead to unauthorized data access or further compromise of connected systems [1].

Mitigation

The vulnerability is fixed in Apache Druid version 30.0.1 [3]. Administrators should upgrade to this version or later. Additionally, restricting the JDBC configuration permission to only trusted users can reduce risk.

References
  1. NVD - CVE-2024-45537
  2. Release druid-30.0.1 · apache/druid

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
org.apache.druid:druidMaven
< 30.0.130.0.1

Affected products

2

Patches

1
a30af7a91d52

[maven-release-plugin] prepare release druid-30.0.1-rc1

https://github.com/apache/druidcryptoeSep 5, 2024via osv
commit
78 files changed · +104 132
  • benchmarks/pom.xml+1 1 modified
    @@ -27,7 +27,7 @@
   <parent>
     <groupId>org.apache.druid</groupId>
     <artifactId>druid</artifactId>
-    <version>30.0.1-SNAPSHOT</version>
+    <version>30.0.1</version>
   </parent>
 
   <dependencies>
  • cloud/aws-common/pom.xml+1 1 modified
    @@ -28,7 +28,7 @@
     <parent>
         <groupId>org.apache.druid</groupId>
         <artifactId>druid</artifactId>
-        <version>30.0.1-SNAPSHOT</version>
+        <version>30.0.1</version>
         <relativePath>../../pom.xml</relativePath>
     </parent>
  • cloud/gcp-common/pom.xml+1 1 modified
    @@ -28,7 +28,7 @@
     <parent>
         <groupId>org.apache.druid</groupId>
         <artifactId>druid</artifactId>
-        <version>30.0.1-SNAPSHOT</version>
+        <version>30.0.1</version>
         <relativePath>../../pom.xml</relativePath>
     </parent>
  • distribution/pom.xml+1 1 modified
    @@ -30,7 +30,7 @@
     <parent>
         <artifactId>druid</artifactId>
         <groupId>org.apache.druid</groupId>
-        <version>30.0.1-SNAPSHOT</version>
+        <version>30.0.1</version>
     </parent>
 
     <dependencies>
  • extensions-contrib/aliyun-oss-extensions/pom.xml+1 1 modified
    @@ -28,7 +28,7 @@
   <parent>
     <groupId>org.apache.druid</groupId>
     <artifactId>druid</artifactId>
-    <version>30.0.1-SNAPSHOT</version>
+    <version>30.0.1</version>
     <relativePath>../../pom.xml</relativePath>
   </parent>
  • extensions-contrib/ambari-metrics-emitter/pom.xml+1 1 modified
    @@ -24,7 +24,7 @@
   <parent>
     <groupId>org.apache.druid</groupId>
     <artifactId>druid</artifactId>
-    <version>30.0.1-SNAPSHOT</version>
+    <version>30.0.1</version>
     <relativePath>../../pom.xml</relativePath>
   </parent>
  • extensions-contrib/cassandra-storage/pom.xml+1 1 modified
    @@ -29,7 +29,7 @@
     <parent>
         <groupId>org.apache.druid</groupId>
         <artifactId>druid</artifactId>
-        <version>30.0.1-SNAPSHOT</version>
+        <version>30.0.1</version>
         <relativePath>../../pom.xml</relativePath>
     </parent>
  • extensions-contrib/cloudfiles-extensions/pom.xml+1 1 modified
    @@ -29,7 +29,7 @@
     <parent>
         <groupId>org.apache.druid</groupId>
         <artifactId>druid</artifactId>
-        <version>30.0.1-SNAPSHOT</version>
+        <version>30.0.1</version>
         <relativePath>../../pom.xml</relativePath>
     </parent>
  • extensions-contrib/compressed-bigdecimal/pom.xml+2 4 modified
    @@ -17,15 +17,13 @@
   ~ specific language governing permissions and limitations
   ~ under the License.
   -->
-<project
-    xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd"
-    xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
   <modelVersion>4.0.0</modelVersion>
 
   <parent>
     <groupId>org.apache.druid</groupId>
     <artifactId>druid</artifactId>
-    <version>30.0.1-SNAPSHOT</version>
+    <version>30.0.1</version>
     <relativePath>../../pom.xml</relativePath>
   </parent>
  • extensions-contrib/ddsketch/pom.xml+1 1 modified
    @@ -22,7 +22,7 @@
   <parent>
     <artifactId>druid</artifactId>
     <groupId>org.apache.druid</groupId>
-    <version>30.0.1-SNAPSHOT</version>
+    <version>30.0.1</version>
     <relativePath>../../pom.xml</relativePath>
   </parent>
   <modelVersion>4.0.0</modelVersion>
  • extensions-contrib/distinctcount/pom.xml+1 1 modified
    @@ -29,7 +29,7 @@
     <parent>
         <groupId>org.apache.druid</groupId>
         <artifactId>druid</artifactId>
-        <version>30.0.1-SNAPSHOT</version>
+        <version>30.0.1</version>
         <relativePath>../../pom.xml</relativePath>
     </parent>
  • extensions-contrib/dropwizard-emitter/pom.xml+1 1 modified
    @@ -24,7 +24,7 @@
   <parent>
     <groupId>org.apache.druid</groupId>
     <artifactId>druid</artifactId>
-    <version>30.0.1-SNAPSHOT</version>
+    <version>30.0.1</version>
     <relativePath>../../pom.xml</relativePath>
   </parent>
  • extensions-contrib/druid-deltalake-extensions/pom.xml+2 4 modified
    @@ -17,9 +17,7 @@
   ~ specific language governing permissions and limitations
   ~ under the License.
   -->
-<project xmlns="http://maven.apache.org/POM/4.0.0"
-         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
 
   <groupId>org.apache.druid.extensions.contrib</groupId>
   <artifactId>druid-deltalake-extensions</artifactId>
@@ -29,7 +27,7 @@
   <parent>
     <artifactId>druid</artifactId>
     <groupId>org.apache.druid</groupId>
-    <version>30.0.1-SNAPSHOT</version>
+    <version>30.0.1</version>
     <relativePath>../../pom.xml</relativePath>
   </parent>
   <modelVersion>4.0.0</modelVersion>
  • extensions-contrib/druid-iceberg-extensions/pom.xml+2 4 modified
    @@ -17,9 +17,7 @@
   ~ specific language governing permissions and limitations
   ~ under the License.
   -->
-<project xmlns="http://maven.apache.org/POM/4.0.0"
-         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
 
   <groupId>org.apache.druid.extensions.contrib</groupId>
   <artifactId>druid-iceberg-extensions</artifactId>
@@ -29,7 +27,7 @@
   <parent>
     <artifactId>druid</artifactId>
     <groupId>org.apache.druid</groupId>
-    <version>30.0.1-SNAPSHOT</version>
+    <version>30.0.1</version>
     <relativePath>../../pom.xml</relativePath>
   </parent>
   <modelVersion>4.0.0</modelVersion>
  • extensions-contrib/gce-extensions/pom.xml+1 1 modified
    @@ -21,7 +21,7 @@
   <parent>
     <groupId>org.apache.druid</groupId>
     <artifactId>druid</artifactId>
-    <version>30.0.1-SNAPSHOT</version>
+    <version>30.0.1</version>
     <relativePath>../../pom.xml</relativePath>
   </parent>
   <modelVersion>4.0.0</modelVersion>
  • extensions-contrib/graphite-emitter/pom.xml+1 1 modified
    @@ -24,7 +24,7 @@
   <parent>
     <groupId>org.apache.druid</groupId>
     <artifactId>druid</artifactId>
-    <version>30.0.1-SNAPSHOT</version>
+    <version>30.0.1</version>
     <relativePath>../../pom.xml</relativePath>
   </parent>
  • extensions-contrib/influxdb-emitter/pom.xml+1 1 modified
    @@ -28,7 +28,7 @@
     <parent>
         <groupId>org.apache.druid</groupId>
         <artifactId>druid</artifactId>
-        <version>30.0.1-SNAPSHOT</version>
+        <version>30.0.1</version>
         <relativePath>../../pom.xml</relativePath>
     </parent>
  • extensions-contrib/influx-extensions/pom.xml+1 1 modified
    @@ -29,7 +29,7 @@
   <parent>
     <groupId>org.apache.druid</groupId>
     <artifactId>druid</artifactId>
-    <version>30.0.1-SNAPSHOT</version>
+    <version>30.0.1</version>
     <relativePath>../../pom.xml</relativePath>
   </parent>
  • extensions-contrib/kafka-emitter/pom.xml+1 1 modified
    @@ -24,7 +24,7 @@
   <parent>
     <groupId>org.apache.druid</groupId>
     <artifactId>druid</artifactId>
-    <version>30.0.1-SNAPSHOT</version>
+    <version>30.0.1</version>
     <relativePath>../../pom.xml</relativePath>
   </parent>
  • extensions-contrib/kubernetes-overlord-extensions/pom.xml+2 3 modified
    @@ -18,8 +18,7 @@
   ~ under the License.
   -->
 
-<project xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://maven.apache.org/POM/4.0.0"
-         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
   <modelVersion>4.0.0</modelVersion>
 
   <groupId>org.apache.druid.extensions.contrib</groupId>
@@ -30,7 +29,7 @@
   <parent>
     <groupId>org.apache.druid</groupId>
     <artifactId>druid</artifactId>
-    <version>30.0.1-SNAPSHOT</version>
+    <version>30.0.1</version>
     <relativePath>../../pom.xml</relativePath>
   </parent>
  • extensions-contrib/materialized-view-maintenance/pom.xml+1 1 modified
    @@ -22,7 +22,7 @@
     <parent>
         <artifactId>druid</artifactId>
         <groupId>org.apache.druid</groupId>
-        <version>30.0.1-SNAPSHOT</version>
+        <version>30.0.1</version>
         <relativePath>../../pom.xml</relativePath>
     </parent>
     <modelVersion>4.0.0</modelVersion>
  • extensions-contrib/materialized-view-selection/pom.xml+1 1 modified
    @@ -22,7 +22,7 @@
     <parent>
         <artifactId>druid</artifactId>
         <groupId>org.apache.druid</groupId>
-        <version>30.0.1-SNAPSHOT</version>
+        <version>30.0.1</version>
         <relativePath>../../pom.xml</relativePath>
     </parent>
     <modelVersion>4.0.0</modelVersion>
  • extensions-contrib/momentsketch/pom.xml+1 1 modified
    @@ -22,7 +22,7 @@
     <parent>
         <artifactId>druid</artifactId>
         <groupId>org.apache.druid</groupId>
-        <version>30.0.1-SNAPSHOT</version>
+        <version>30.0.1</version>
         <relativePath>../../pom.xml</relativePath>
     </parent>
     <modelVersion>4.0.0</modelVersion>
  • extensions-contrib/moving-average-query/pom.xml+1 1 modified
    @@ -24,7 +24,7 @@
   <parent>
     <groupId>org.apache.druid</groupId>
     <artifactId>druid</artifactId>
-    <version>30.0.1-SNAPSHOT</version>
+    <version>30.0.1</version>
     <relativePath>../../pom.xml</relativePath>
   </parent>
  • extensions-contrib/opentelemetry-emitter/pom.xml+3 5 modified
    @@ -17,13 +17,11 @@
   ~ specific language governing permissions and limitations
   ~ under the License.
   -->
-<project xmlns="http://maven.apache.org/POM/4.0.0"
-         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
   <parent>
     <groupId>org.apache.druid</groupId>
     <artifactId>druid</artifactId>
-    <version>30.0.1-SNAPSHOT</version>
+    <version>30.0.1</version>
     <relativePath>../../pom.xml</relativePath>
   </parent>
   <modelVersion>4.0.0</modelVersion>
@@ -177,7 +175,7 @@
                   so we need to relocate the class names of the implementation classes.
                   More about SPI - https://docs.oracle.com/javase/tutorial/ext/basics/spi.html.
                   https://maven.apache.org/plugins/maven-shade-plugin/examples/resource-transformers.html. -->
-                <transformer implementation="org.apache.maven.plugins.shade.resource.ServicesResourceTransformer"/>
+                <transformer implementation="org.apache.maven.plugins.shade.resource.ServicesResourceTransformer" />
               </transformers>
               <artifactSet>
                 <includes>
  • extensions-contrib/opentsdb-emitter/pom.xml+1 1 modified
    @@ -29,7 +29,7 @@
   <parent>
     <groupId>org.apache.druid</groupId>
     <artifactId>druid</artifactId>
-    <version>30.0.1-SNAPSHOT</version>
+    <version>30.0.1</version>
     <relativePath>../../pom.xml</relativePath>
   </parent>
  • extensions-contrib/prometheus-emitter/pom.xml+2 4 modified
    @@ -17,13 +17,11 @@
   ~ specific language governing permissions and limitations
   ~ under the License.
   -->
-<project xmlns="http://maven.apache.org/POM/4.0.0"
-         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
   <parent>
     <artifactId>druid</artifactId>
     <groupId>org.apache.druid</groupId>
-    <version>30.0.1-SNAPSHOT</version>
+    <version>30.0.1</version>
     <relativePath>../../pom.xml</relativePath>
   </parent>
   <modelVersion>4.0.0</modelVersion>
  • extensions-contrib/rabbit-stream-indexing-service/pom.xml+1 1 modified
    @@ -29,7 +29,7 @@
   <parent>
     <groupId>org.apache.druid</groupId>
     <artifactId>druid</artifactId>
-    <version>30.0.1-SNAPSHOT</version>
+    <version>30.0.1</version>
     <relativePath>../../pom.xml</relativePath>
   </parent>
  • extensions-contrib/redis-cache/pom.xml+1 1 modified
    @@ -29,7 +29,7 @@
     <parent>
         <groupId>org.apache.druid</groupId>
         <artifactId>druid</artifactId>
-        <version>30.0.1-SNAPSHOT</version>
+        <version>30.0.1</version>
         <relativePath>../../pom.xml</relativePath>
     </parent>
  • extensions-contrib/spectator-histogram/pom.xml+2 4 modified
    @@ -18,13 +18,11 @@
   ~ under the License.
   -->
 
-<project xmlns="http://maven.apache.org/POM/4.0.0"
-         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
   <parent>
     <groupId>org.apache.druid</groupId>
     <artifactId>druid</artifactId>
-    <version>30.0.1-SNAPSHOT</version>
+    <version>30.0.1</version>
     <relativePath>../../pom.xml</relativePath>
   </parent>
   <modelVersion>4.0.0</modelVersion>
  • extensions-contrib/sqlserver-metadata-storage/pom.xml+1 1 modified
    @@ -28,7 +28,7 @@
     <parent>
         <groupId>org.apache.druid</groupId>
         <artifactId>druid</artifactId>
-        <version>30.0.1-SNAPSHOT</version>
+        <version>30.0.1</version>
         <relativePath>../../pom.xml</relativePath>
     </parent>
  • extensions-contrib/statsd-emitter/pom.xml+1 1 modified
    @@ -21,7 +21,7 @@
   <parent>
     <artifactId>druid</artifactId>
     <groupId>org.apache.druid</groupId>
-    <version>30.0.1-SNAPSHOT</version>
+    <version>30.0.1</version>
     <relativePath>../../pom.xml</relativePath>
   </parent>
   <modelVersion>4.0.0</modelVersion>
  • extensions-contrib/tdigestsketch/pom.xml+1 1 modified
    @@ -22,7 +22,7 @@
   <parent>
     <artifactId>druid</artifactId>
     <groupId>org.apache.druid</groupId>
-    <version>30.0.1-SNAPSHOT</version>
+    <version>30.0.1</version>
     <relativePath>../../pom.xml</relativePath>
   </parent>
   <modelVersion>4.0.0</modelVersion>
  • extensions-contrib/thrift-extensions/pom.xml+1 1 modified
    @@ -28,7 +28,7 @@
   <parent>
     <artifactId>druid</artifactId>
     <groupId>org.apache.druid</groupId>
-    <version>30.0.1-SNAPSHOT</version>
+    <version>30.0.1</version>
     <relativePath>../../pom.xml</relativePath>
   </parent>
   <modelVersion>4.0.0</modelVersion>
  • extensions-contrib/time-min-max/pom.xml+1 1 modified
    @@ -21,7 +21,7 @@
   <parent>
     <artifactId>druid</artifactId>
     <groupId>org.apache.druid</groupId>
-    <version>30.0.1-SNAPSHOT</version>
+    <version>30.0.1</version>
     <relativePath>../../pom.xml</relativePath>
   </parent>
   <modelVersion>4.0.0</modelVersion>
  • extensions-contrib/virtual-columns/pom.xml+1 1 modified
    @@ -29,7 +29,7 @@
     <parent>
         <groupId>org.apache.druid</groupId>
         <artifactId>druid</artifactId>
-        <version>30.0.1-SNAPSHOT</version>
+        <version>30.0.1</version>
         <relativePath>../../pom.xml</relativePath>
     </parent>
  • extensions-core/avro-extensions/pom.xml+1 1 modified
    @@ -29,7 +29,7 @@
   <parent>
     <groupId>org.apache.druid</groupId>
     <artifactId>druid</artifactId>
-    <version>30.0.1-SNAPSHOT</version>
+    <version>30.0.1</version>
     <relativePath>../../pom.xml</relativePath>
   </parent>
  • extensions-core/azure-extensions/pom.xml+1 1 modified
    @@ -29,7 +29,7 @@
     <parent>
         <groupId>org.apache.druid</groupId>
         <artifactId>druid</artifactId>
-        <version>30.0.1-SNAPSHOT</version>
+        <version>30.0.1</version>
         <relativePath>../../pom.xml</relativePath>
     </parent>
  • extensions-core/datasketches/pom.xml+1 1 modified
    @@ -29,7 +29,7 @@
   <parent>
     <groupId>org.apache.druid</groupId>
     <artifactId>druid</artifactId>
-    <version>30.0.1-SNAPSHOT</version>
+    <version>30.0.1</version>
     <relativePath>../../pom.xml</relativePath>
   </parent>
  • extensions-core/druid-aws-rds-extensions/pom.xml+2 3 modified
    @@ -18,8 +18,7 @@
   ~ under the License.
   -->
 
-<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
   <modelVersion>4.0.0</modelVersion>
 
   <groupId>org.apache.druid.extensions</groupId>
@@ -30,7 +29,7 @@
   <parent>
     <groupId>org.apache.druid</groupId>
     <artifactId>druid</artifactId>
-    <version>30.0.1-SNAPSHOT</version>
+    <version>30.0.1</version>
     <relativePath>../../pom.xml</relativePath>
   </parent>
  • extensions-core/druid-basic-security/pom.xml+1 1 modified
    @@ -30,7 +30,7 @@
   <parent>
     <groupId>org.apache.druid</groupId>
     <artifactId>druid</artifactId>
-    <version>30.0.1-SNAPSHOT</version>
+    <version>30.0.1</version>
     <relativePath>../../pom.xml</relativePath>
   </parent>
  • extensions-core/druid-bloom-filter/pom.xml+1 1 modified
    @@ -29,7 +29,7 @@
   <parent>
     <groupId>org.apache.druid</groupId>
     <artifactId>druid</artifactId>
-    <version>30.0.1-SNAPSHOT</version>
+    <version>30.0.1</version>
     <relativePath>../../pom.xml</relativePath>
   </parent>
  • extensions-core/druid-catalog/pom.xml+2 3 modified
    @@ -19,8 +19,7 @@
   ~ under the License.
   -->
 
-<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
     <modelVersion>4.0.0</modelVersion>
 
     <groupId>org.apache.druid.extensions</groupId>
@@ -31,7 +30,7 @@
     <parent>
         <groupId>org.apache.druid</groupId>
         <artifactId>druid</artifactId>
-        <version>30.0.1-SNAPSHOT</version>
+        <version>30.0.1</version>
         <relativePath>../../pom.xml</relativePath>
     </parent>
  • extensions-core/druid-kerberos/pom.xml+1 1 modified
    @@ -29,7 +29,7 @@
   <parent>
     <groupId>org.apache.druid</groupId>
     <artifactId>druid</artifactId>
-    <version>30.0.1-SNAPSHOT</version>
+    <version>30.0.1</version>
     <relativePath>../../pom.xml</relativePath>
   </parent>
  • extensions-core/druid-pac4j/pom.xml+1 1 modified
    @@ -29,7 +29,7 @@
   <parent>
     <groupId>org.apache.druid</groupId>
     <artifactId>druid</artifactId>
-    <version>30.0.1-SNAPSHOT</version>
+    <version>30.0.1</version>
     <relativePath>../../pom.xml</relativePath>
   </parent>
  • extensions-core/druid-ranger-security/pom.xml+1 1 modified
    @@ -30,7 +30,7 @@
     <parent>
         <groupId>org.apache.druid</groupId>
         <artifactId>druid</artifactId>
-        <version>30.0.1-SNAPSHOT</version>
+        <version>30.0.1</version>
         <relativePath>../../pom.xml</relativePath>
     </parent>
  • extensions-core/ec2-extensions/pom.xml+1 1 modified
    @@ -29,7 +29,7 @@
   <parent>
     <groupId>org.apache.druid</groupId>
     <artifactId>druid</artifactId>
-    <version>30.0.1-SNAPSHOT</version>
+    <version>30.0.1</version>
     <relativePath>../../pom.xml</relativePath>
   </parent>
  • extensions-core/google-extensions/pom.xml+1 1 modified
    @@ -29,7 +29,7 @@
     <parent>
         <groupId>org.apache.druid</groupId>
         <artifactId>druid</artifactId>
-        <version>30.0.1-SNAPSHOT</version>
+        <version>30.0.1</version>
         <relativePath>../../pom.xml</relativePath>
     </parent>
  • extensions-core/hdfs-storage/pom.xml+2 3 modified
    @@ -18,8 +18,7 @@
   ~ under the License.
   -->
 
-<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
     <modelVersion>4.0.0</modelVersion>
 
     <groupId>org.apache.druid.extensions</groupId>
@@ -30,7 +29,7 @@
     <parent>
         <groupId>org.apache.druid</groupId>
         <artifactId>druid</artifactId>
-        <version>30.0.1-SNAPSHOT</version>
+        <version>30.0.1</version>
         <relativePath>../../pom.xml</relativePath>
     </parent>
  • extensions-core/histogram/pom.xml+1 1 modified
    @@ -28,7 +28,7 @@
     <parent>
         <groupId>org.apache.druid</groupId>
         <artifactId>druid</artifactId>
-        <version>30.0.1-SNAPSHOT</version>
+        <version>30.0.1</version>
         <relativePath>../../pom.xml</relativePath>
     </parent>
  • extensions-core/kafka-extraction-namespace/pom.xml+2 3 modified
    @@ -18,8 +18,7 @@
   ~ under the License.
   -->
 
-<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
   <modelVersion>4.0.0</modelVersion>
   <groupId>org.apache.druid.extensions</groupId>
   <artifactId>druid-kafka-extraction-namespace</artifactId>
@@ -29,7 +28,7 @@
   <parent>
     <groupId>org.apache.druid</groupId>
     <artifactId>druid</artifactId>
-    <version>30.0.1-SNAPSHOT</version>
+    <version>30.0.1</version>
     <relativePath>../../pom.xml</relativePath>
   </parent>
  • extensions-core/kafka-indexing-service/pom.xml+1 1 modified
    @@ -29,7 +29,7 @@
   <parent>
     <groupId>org.apache.druid</groupId>
     <artifactId>druid</artifactId>
-    <version>30.0.1-SNAPSHOT</version>
+    <version>30.0.1</version>
     <relativePath>../../pom.xml</relativePath>
   </parent>
  • extensions-core/kinesis-indexing-service/pom.xml+1 1 modified
    @@ -29,7 +29,7 @@
     <parent>
         <groupId>org.apache.druid</groupId>
         <artifactId>druid</artifactId>
-        <version>30.0.1-SNAPSHOT</version>
+        <version>30.0.1</version>
         <relativePath>../../pom.xml</relativePath>
     </parent>
  • extensions-core/kubernetes-extensions/pom.xml+2 3 modified
    @@ -18,8 +18,7 @@
   ~ under the License.
   -->
 
-<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
   <modelVersion>4.0.0</modelVersion>
 
   <groupId>org.apache.druid.extensions</groupId>
@@ -30,7 +29,7 @@
   <parent>
     <groupId>org.apache.druid</groupId>
     <artifactId>druid</artifactId>
-    <version>30.0.1-SNAPSHOT</version>
+    <version>30.0.1</version>
     <relativePath>../../pom.xml</relativePath>
   </parent>
  • extensions-core/lookups-cached-global/pom.xml+1 1 modified
    @@ -28,7 +28,7 @@
   <parent>
     <groupId>org.apache.druid</groupId>
     <artifactId>druid</artifactId>
-    <version>30.0.1-SNAPSHOT</version>
+    <version>30.0.1</version>
     <relativePath>../../pom.xml</relativePath>
   </parent>
  • extensions-core/lookups-cached-single/pom.xml+1 1 modified
    @@ -28,7 +28,7 @@
   <parent>
     <groupId>org.apache.druid</groupId>
     <artifactId>druid</artifactId>
-    <version>30.0.1-SNAPSHOT</version>
+    <version>30.0.1</version>
     <relativePath>../../pom.xml</relativePath>
   </parent>
  • extensions-core/multi-stage-query/pom.xml+2 3 modified
    @@ -19,8 +19,7 @@
   ~ under the License.
   -->
 
-<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
     <modelVersion>4.0.0</modelVersion>
 
     <groupId>org.apache.druid.extensions</groupId>
@@ -31,7 +30,7 @@
     <parent>
         <groupId>org.apache.druid</groupId>
         <artifactId>druid</artifactId>
-        <version>30.0.1-SNAPSHOT</version>
+        <version>30.0.1</version>
         <relativePath>../../pom.xml</relativePath>
     </parent>
  • extensions-core/mysql-metadata-storage/pom.xml+1 1 modified
    @@ -30,7 +30,7 @@
     <parent>
         <groupId>org.apache.druid</groupId>
         <artifactId>druid</artifactId>
-        <version>30.0.1-SNAPSHOT</version>
+        <version>30.0.1</version>
         <relativePath>../../pom.xml</relativePath>
     </parent>
  • extensions-core/orc-extensions/pom.xml+1 1 modified
    @@ -26,7 +26,7 @@
     <parent>
         <artifactId>druid</artifactId>
         <groupId>org.apache.druid</groupId>
-        <version>30.0.1-SNAPSHOT</version>
+        <version>30.0.1</version>
         <relativePath>../../pom.xml</relativePath>
     </parent>
     <modelVersion>4.0.0</modelVersion>
  • extensions-core/parquet-extensions/pom.xml+1 1 modified
    @@ -27,7 +27,7 @@
   <parent>
     <artifactId>druid</artifactId>
     <groupId>org.apache.druid</groupId>
-    <version>30.0.1-SNAPSHOT</version>
+    <version>30.0.1</version>
     <relativePath>../../pom.xml</relativePath>
   </parent>
   <modelVersion>4.0.0</modelVersion>
  • extensions-core/postgresql-metadata-storage/pom.xml+1 1 modified
    @@ -30,7 +30,7 @@
     <parent>
         <groupId>org.apache.druid</groupId>
         <artifactId>druid</artifactId>
-        <version>30.0.1-SNAPSHOT</version>
+        <version>30.0.1</version>
         <relativePath>../../pom.xml</relativePath>
     </parent>
  • extensions-core/protobuf-extensions/pom.xml+2 3 modified
    @@ -18,8 +18,7 @@
   ~ under the License.
   -->
 
-<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
   <modelVersion>4.0.0</modelVersion>
 
   <groupId>org.apache.druid.extensions</groupId>
@@ -30,7 +29,7 @@
   <parent>
     <artifactId>druid</artifactId>
     <groupId>org.apache.druid</groupId>
-    <version>30.0.1-SNAPSHOT</version>
+    <version>30.0.1</version>
     <relativePath>../../pom.xml</relativePath>
   </parent>
  • extensions-core/s3-extensions/pom.xml+1 1 modified
    @@ -29,7 +29,7 @@
   <parent>
     <groupId>org.apache.druid</groupId>
     <artifactId>druid</artifactId>
-    <version>30.0.1-SNAPSHOT</version>
+    <version>30.0.1</version>
     <relativePath>../../pom.xml</relativePath>
   </parent>
  • extensions-core/simple-client-sslcontext/pom.xml+1 1 modified
    @@ -22,7 +22,7 @@
   <parent>
     <artifactId>druid</artifactId>
     <groupId>org.apache.druid</groupId>
-    <version>30.0.1-SNAPSHOT</version>
+    <version>30.0.1</version>
     <relativePath>../../pom.xml</relativePath>
   </parent>
   <modelVersion>4.0.0</modelVersion>
  • extensions-core/stats/pom.xml+1 1 modified
    @@ -29,7 +29,7 @@
     <parent>
         <groupId>org.apache.druid</groupId>
         <artifactId>druid</artifactId>
-        <version>30.0.1-SNAPSHOT</version>
+        <version>30.0.1</version>
         <relativePath>../../pom.xml</relativePath>
     </parent>
  • extensions-core/testing-tools/pom.xml+1 1 modified
    @@ -29,7 +29,7 @@
   <parent>
     <groupId>org.apache.druid</groupId>
     <artifactId>druid</artifactId>
-    <version>30.0.1-SNAPSHOT</version>
+    <version>30.0.1</version>
     <relativePath>../../pom.xml</relativePath>
   </parent>
  • indexing-hadoop/pom.xml+1 1 modified
    @@ -28,7 +28,7 @@
     <parent>
         <groupId>org.apache.druid</groupId>
         <artifactId>druid</artifactId>
-        <version>30.0.1-SNAPSHOT</version>
+        <version>30.0.1</version>
     </parent>
 
     <dependencies>
  • indexing-service/pom.xml+2 3 modified
    @@ -18,8 +18,7 @@
   ~ under the License.
   -->
 
-<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
     <modelVersion>4.0.0</modelVersion>
 
     <artifactId>druid-indexing-service</artifactId>
@@ -29,7 +28,7 @@
     <parent>
         <groupId>org.apache.druid</groupId>
         <artifactId>druid</artifactId>
-        <version>30.0.1-SNAPSHOT</version>
+        <version>30.0.1</version>
     </parent>
 
     <dependencies>
  • integration-tests-ex/cases/pom.xml+2 4 modified
    @@ -18,9 +18,7 @@
   ~ under the License.
   -->
 
-<project xmlns="http://maven.apache.org/POM/4.0.0"
-        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-        xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
     <modelVersion>4.0.0</modelVersion>
 
     <groupId>org.apache.druid.integration-tests</groupId>
@@ -31,7 +29,7 @@
     <parent>
         <groupId>org.apache.druid</groupId>
         <artifactId>druid</artifactId>
-        <version>30.0.1-SNAPSHOT</version>
+        <version>30.0.1</version>
         <relativePath>../../pom.xml</relativePath>
     </parent>
  • integration-tests-ex/image/pom.xml+1 1 modified
    @@ -46,7 +46,7 @@ Reference: https://dzone.com/articles/build-docker-image-from-maven
     <parent>
         <artifactId>druid</artifactId>
         <groupId>org.apache.druid</groupId>
-        <version>30.0.1-SNAPSHOT</version>
+        <version>30.0.1</version>
         <relativePath>../../pom.xml</relativePath>
     </parent>
  • integration-tests-ex/tools/pom.xml+2 4 modified
    @@ -18,9 +18,7 @@
   ~ under the License.
   -->
 
-<project xmlns="http://maven.apache.org/POM/4.0.0"
-         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
 	<modelVersion>4.0.0</modelVersion>
 
     <groupId>org.apache.druid.integration-tests</groupId>
@@ -31,7 +29,7 @@
 	<parent>
 		<groupId>org.apache.druid</groupId>
         <artifactId>druid</artifactId>
-		<version>30.0.1-SNAPSHOT</version>
+		<version>30.0.1</version>
 		<relativePath>../../pom.xml</relativePath>
 	</parent>
  • integration-tests/pom.xml+1 1 modified
    @@ -28,7 +28,7 @@
     <parent>
         <groupId>org.apache.druid</groupId>
         <artifactId>druid</artifactId>
-        <version>30.0.1-SNAPSHOT</version>
+        <version>30.0.1</version>
     </parent>
 
     <repositories>
  • pom.xml+7 8 modified
    @@ -29,7 +29,7 @@
 
     <groupId>org.apache.druid</groupId>
     <artifactId>druid</artifactId>
-    <version>30.0.1-SNAPSHOT</version>
+    <version>30.0.1</version>
     <packaging>pom</packaging>
 
     <name>Druid</name>
@@ -66,7 +66,7 @@
         <connection>scm:git:ssh://git@github.com/apache/druid.git</connection>
         <developerConnection>scm:git:ssh://git@github.com/apache/druid.git</developerConnection>
         <url>https://github.com/apache/druid.git</url>
-        <tag>29.0.0-SNAPSHOT</tag>
+        <tag>druid-30.0.1-rc1</tag>
     </scm>
 
     <properties>
@@ -117,8 +117,7 @@
         <hadoop.compile.version>3.3.6</hadoop.compile.version>
         <mockito.version>5.5.0</mockito.version>
         <!-- mockito-inline artifact was removed in mockito 5.3 (mockito 5.x is required for Java >17),
-             however it is required in some cases when running against mockito 4.x (mockito 4.x is required for Java <11.
-             We use the following property to pick the proper artifact based on Java version (see pre-java-11 profile) -->
+             however it is required in some cases when running against mockito 4.x (mockito 4.x is required for Java <11. We use the following property to pick the proper artifact based on Java version (see pre-java-11 profile) -->
         <mockito.inline.artifact>core</mockito.inline.artifact>
         <aws.sdk.version>1.12.638</aws.sdk.version>
         <caffeine.version>2.8.0</caffeine.version>
@@ -155,7 +154,7 @@
              -->
          <jacocoArgLine />
          <!--  used to enable continuous profiling of jdk17 unit tests in github actions  -->
-         <jfrProfilerArgLine></jfrProfilerArgLine>
+         <jfrProfilerArgLine />
     </properties>
 
     <modules>
@@ -1613,7 +1612,7 @@
                         </goals>
                         <configuration>
                             <rules>
-                                <banDuplicatePomDependencyVersions/>
+                                <banDuplicatePomDependencyVersions />
                                 <requireMavenVersion>
                                     <version>3.0.0</version>
                                 </requireMavenVersion>
@@ -1781,11 +1780,11 @@
                         <trimStackTrace>false</trimStackTrace>
                         <!-- our tests are very verbose, let's keep the volume down -->
                         <redirectTestOutputToFile>true</redirectTestOutputToFile>
-                        <forkNode implementation="org.apache.maven.plugin.surefire.extensions.SurefireForkNodeFactory"/>
+                        <forkNode implementation="org.apache.maven.plugin.surefire.extensions.SurefireForkNodeFactory" />
                         <!-- Surefire default is to exclude static inner classes; which may lead to the ignore of static inner classes
                              https://maven.apache.org/surefire/maven-surefire-plugin/test-mojo.html#excludes -->
                         <excludes>
-                           <exclude/>
+                           <exclude />
                         </excludes>
                     </configuration>
                 </plugin>
  • processing/pom.xml+2 3 modified
    @@ -18,8 +18,7 @@
   ~ under the License.
   -->
 
-<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
   <modelVersion>4.0.0</modelVersion>
 
   <artifactId>druid-processing</artifactId>
@@ -29,7 +28,7 @@
   <parent>
     <groupId>org.apache.druid</groupId>
     <artifactId>druid</artifactId>
-    <version>30.0.1-SNAPSHOT</version>
+    <version>30.0.1</version>
   </parent>
 
   <properties>
  • server/pom.xml+1 1 modified
    @@ -28,7 +28,7 @@
     <parent>
         <groupId>org.apache.druid</groupId>
         <artifactId>druid</artifactId>
-        <version>30.0.1-SNAPSHOT</version>
+        <version>30.0.1</version>
     </parent>
 
     <dependencies>
  • services/pom.xml+1 1 modified
    @@ -27,7 +27,7 @@
     <parent>
         <groupId>org.apache.druid</groupId>
         <artifactId>druid</artifactId>
-        <version>30.0.1-SNAPSHOT</version>
+        <version>30.0.1</version>
     </parent>
 
     <dependencies>
  • sql/pom.xml+2 3 modified
    @@ -18,8 +18,7 @@
   ~ under the License.
   -->
 
-<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
   <modelVersion>4.0.0</modelVersion>
 
   <artifactId>druid-sql</artifactId>
@@ -29,7 +28,7 @@
   <parent>
     <groupId>org.apache.druid</groupId>
     <artifactId>druid</artifactId>
-    <version>30.0.1-SNAPSHOT</version>
+    <version>30.0.1</version>
   </parent>
 
   <dependencies>
  • web-console/pom.xml+1 1 modified
    @@ -28,7 +28,7 @@
   <parent>
     <groupId>org.apache.druid</groupId>
     <artifactId>druid</artifactId>
-    <version>30.0.1-SNAPSHOT</version>
+    <version>30.0.1</version>
   </parent>
 
   <properties>

Vulnerability mechanics

Root cause

"Insufficient validation of JDBC connection properties for MySQL connections allows bypassing the administrator-configured allow list."

Attack vector

An attacker must have Druid permissions to configure JDBC connections (e.g., set up Druid lookups or run ingestion tasks). The attacker crafts a MySQL JDBC connection string that includes properties not on the administrator-configured allow list. Because the allow-list validation is insufficient for MySQL JDBC connections, the attacker can supply arbitrary JDBC properties, potentially enabling actions such as connecting to unauthorized databases or altering connection behavior [CWE-20]. This is a bypass of the intended restriction that only TLS-related properties should be permitted.

Affected code

The advisory does not specify the exact source files or functions at fault. The vulnerability involves the JDBC connection property allow-list mechanism in Apache Druid, which is intended to restrict users to TLS-related properties only. The patch provided (tag `druid-30.0.1-rc1`) only contains Maven release-version bumps and formatting changes, not the actual security fix — the real code change is not visible in this patch bundle.

What the fix does

The patch provided (commit `a30af7a91d528e5c3a90356a5592abc7119191c6`) only updates version numbers from `30.0.1-SNAPSHOT` to `30.0.1` and makes minor whitespace/formatting changes in POM files — it does not contain the actual security fix. The advisory states the issue is fixed in Apache Druid 30.0.1, but the real code change that strengthens JDBC property validation is not included in this diff. Administrators should upgrade to Druid 30.0.1 to receive the complete fix.

Preconditions

  • authAttacker must have Druid permissions to configure JDBC connections (e.g., set up lookups or run ingestion tasks)
  • configTarget Druid instance must be configured with a MySQL JDBC connection

Generated on May 23, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

4

News mentions

0

No linked articles in our index yet.