Maven package
org.apache.druid/druid
pkg:maven/org.apache.druid/druid
Vulnerabilities (8)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2025-59390 | — | < 35.0.0 | 35.0.0 | Nov 26, 2025 | Apache Druid’s Kerberos authenticator uses a weak fallback secret when the `druid.auth.authenticator.kerberos.cookieSignatureSecret` configuration is not explicitly set. In this case, the secret is generated using `ThreadLocalRandom`, which is not a crypto-graphically secure ran | ||
| CVE-2025-27888 | — | < 31.0.2 | 31.0.2 | Mar 20, 2025 | Severity: medium (5.8) / important Server-Side Request Forgery (SSRF), Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'), URL Redirection to Untrusted Site ('Open Redirect') vulnerability in Apache Druid. This issue affects all previous Druid | ||
| CVE-2024-45537 | — | < 30.0.1 | 30.0.1 | Sep 17, 2024 | Apache Druid allows users with certain permissions to read data from other database systems using JDBC. This functionality allows trusted users to set up Druid lookups or run ingestion tasks. Druid also allows administrators to configure a list of allowed properties that users ar | ||
| CVE-2022-28889 | — | < 0.23.0 | 0.23.0 | Jul 7, 2022 | In Apache Druid 0.22.1 and earlier, the server did not set appropriate headers to prevent clickjacking. Druid 0.23.0 and later prevent clickjacking using the Content-Security-Policy header. | ||
| CVE-2021-44791 | — | < 0.23.0 | 0.23.0 | Jul 7, 2022 | In Apache Druid 0.22.1 and earlier, certain specially-crafted links result in unescaped URL parameters being sent back in HTML responses. This makes it possible to execute reflected XSS attacks. | ||
| CVE-2021-26919 | — | < 0.20.2 | 0.20.2 | Mar 30, 2021 | Apache Druid allows users to read data from other database systems using JDBC. This functionality is to allow trusted users with the proper permissions to set up lookups or submit ingestion tasks. The MySQL JDBC driver supports certain properties, which, if left unmitigated, can | ||
| CVE-2021-25646 | — | < 0.20.1 | 0.20.1 | Jan 29, 2021 | Apache Druid includes the ability to execute user-provided JavaScript code embedded in various types of requests. This functionality is intended for use in high-trust environments, and is disabled by default. However, in Druid 0.20.0 and earlier, it is possible for an authenticat | ||
| CVE-2020-1958 | — | >= 0.17.0, < 0.17.1 | 0.17.1 | Apr 1, 2020 | When LDAP authentication is enabled in Apache Druid 0.17.0, callers of Druid APIs with a valid set of LDAP credentials can bypass the credentialsValidator.userSearch filter barrier that determines if a valid LDAP user is allowed to authenticate with Druid. They are still subject |
- CVE-2025-59390Nov 26, 2025affected < 35.0.0fixed 35.0.0
Apache Druid’s Kerberos authenticator uses a weak fallback secret when the `druid.auth.authenticator.kerberos.cookieSignatureSecret` configuration is not explicitly set. In this case, the secret is generated using `ThreadLocalRandom`, which is not a crypto-graphically secure ran
- CVE-2025-27888Mar 20, 2025affected < 31.0.2fixed 31.0.2
Severity: medium (5.8) / important Server-Side Request Forgery (SSRF), Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'), URL Redirection to Untrusted Site ('Open Redirect') vulnerability in Apache Druid. This issue affects all previous Druid
- CVE-2024-45537Sep 17, 2024affected < 30.0.1fixed 30.0.1
Apache Druid allows users with certain permissions to read data from other database systems using JDBC. This functionality allows trusted users to set up Druid lookups or run ingestion tasks. Druid also allows administrators to configure a list of allowed properties that users ar
- CVE-2022-28889Jul 7, 2022affected < 0.23.0fixed 0.23.0
In Apache Druid 0.22.1 and earlier, the server did not set appropriate headers to prevent clickjacking. Druid 0.23.0 and later prevent clickjacking using the Content-Security-Policy header.
- CVE-2021-44791Jul 7, 2022affected < 0.23.0fixed 0.23.0
In Apache Druid 0.22.1 and earlier, certain specially-crafted links result in unescaped URL parameters being sent back in HTML responses. This makes it possible to execute reflected XSS attacks.
- CVE-2021-26919Mar 30, 2021affected < 0.20.2fixed 0.20.2
Apache Druid allows users to read data from other database systems using JDBC. This functionality is to allow trusted users with the proper permissions to set up lookups or submit ingestion tasks. The MySQL JDBC driver supports certain properties, which, if left unmitigated, can
- CVE-2021-25646Jan 29, 2021affected < 0.20.1fixed 0.20.1
Apache Druid includes the ability to execute user-provided JavaScript code embedded in various types of requests. This functionality is intended for use in high-trust environments, and is disabled by default. However, in Druid 0.20.0 and earlier, it is possible for an authenticat
- CVE-2020-1958Apr 1, 2020affected >= 0.17.0, < 0.17.1fixed 0.17.1
When LDAP authentication is enabled in Apache Druid 0.17.0, callers of Druid APIs with a valid set of LDAP credentials can bypass the credentialsValidator.userSearch filter barrier that determines if a valid LDAP user is allowed to authenticate with Druid. They are still subject