org.apache.druid:druid-core@0.16.1-incubating vulnerabilities

Direct Vulnerabilities

Known vulnerabilities in the org.apache.druid:druid-core package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.
Fix for free
Vulnerability Vulnerable Version
  • M
Cross-site Scripting (XSS)

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via unescaped URLs returned by HTML responses.

How to fix Cross-site Scripting (XSS)?

Upgrade org.apache.druid:druid-core to version 0.23.0 or higher.

[,0.23.0)
  • M
Information Exposure

Affected versions of this package are vulnerable to Information Exposure. In the Druid ingestion system, the InputSource is used for reading data from a certain data source. However, the HTTP InputSource allows authenticated users to read data from other sources than intended, such as the local file system, with the privileges of the Druid server process. This is not an elevation of privilege when users access Druid directly, since Druid also provides the Local InputSource, which allows the same level of access. But it is problematic when users interact with Druid indirectly through an application that allows users to specify the HTTP InputSource, but not the Local InputSource. In this case, users could bypass the application-level restriction by passing a file URL to the HTTP InputSource.

How to fix Information Exposure?

Upgrade org.apache.druid:druid-core to version 0.22.0 or higher.

[,0.22.0)
  • H
Remote Code Execution (RCE)

Affected versions of this package are vulnerable to Remote Code Execution (RCE). This package has a functionality that allows users to read data from other database systems using JDBC, to allow trusted users with the proper permissions to set up lookups or submit ingestion tasks. The MySQL JDBC driver supports certain properties, which, if left unmitigated, can allow an attacker to execute arbitrary code from a hacker-controlled malicious MySQL server within Druid server processes.

How to fix Remote Code Execution (RCE)?

Upgrade org.apache.druid:druid-core to version 0.20.2 or higher.

[,0.20.2)
  • H
Remote Code Execution (RCE)

Affected versions of this package are vulnerable to Remote Code Execution (RCE). Authenticated users can override system configurations in their requests which allows them to execute arbitrary code.

How to fix Remote Code Execution (RCE)?

Upgrade org.apache.druid:druid-core to version 0.20.1 or higher.

[,0.20.1)