CVE-2021-44791

MEDIUM6.1EPSS 6.0%

Apache Druid before 0.23.0 vulnerable to reflected XSS via unescaped URL parameters

Published: 7/8/2022Modified: 11/8/2023

Description

In Apache Druid 0.22.1 and earlier, certain specially-crafted links result in unescaped URL parameters being sent back in HTML responses. This makes it possible to execute reflected XSS attacks. This issue is patched in version 0.23.0.

Affected packages (1)

Maven/org.apache.druid:druidfrom 0, < 0.23.0

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM6.1	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

References (3)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2021-44791
PATCHhttps://github.com/apache/druid
WEBhttps://lists.apache.org/thread/lh2kcl4j45q7xj4w6rqf6kwf0mvyp2o6