CVE-2021-44791

MEDIUM6.1EPSS 6.0%

Apache Druid before 0.23.0 vulnerable to reflected XSS via unescaped URL parameters

發布日:2022/7/8修改日:2023/11/8

描述

In Apache Druid 0.22.1 and earlier, certain specially-crafted links result in unescaped URL parameters being sent back in HTML responses. This makes it possible to execute reflected XSS attacks. This issue is patched in version 0.23.0.

受影響套件(1)

Maven/org.apache.druid:druidfrom 0, < 0.23.0

CVSS 分數

來源	版本	嚴重程度	向量
osv	CVSS 3.1	MEDIUM6.1	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

參考連結(3)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2021-44791
PATCHhttps://github.com/apache/druid
WEBhttps://lists.apache.org/thread/lh2kcl4j45q7xj4w6rqf6kwf0mvyp2o6